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Introduction to the Intel486™ | 
Microprocessor Family 


CHAPTER 1 : 
INTRODUCTION TO THE 
Intel486™ MICROPROCESSOR FAMILY 


The Intel486 microprocessors offer the highest performance for DOS, OS/2, Windows 
and UNIX System V/386 applications. The Intel486 microprocessor family currently 
includes the Intel486 SX CPU (and Intel487™ SX Math CoProcessor), Intel486 DX 
CPU, and the Intel486 DX2 CPU. These processors are 100% binary compatible with 
one another and with the Intel386™ family. of microprocessors. Throughout this text, 
these members are collectively referred to as the “Intel486 processor.’ ’ The high integra- 
tion Intel486 processors maintain binary compatibility with previous members of the x86 
architectural family. The instruction set microarchitecture has been reimplemented 
using RISC design techniques such that frequently used instructions execute in one 
cycle. An 8-Kbyte unified code and data cache combined with the high bandwidth, burst- 
able data bus allow this performance level to be sustained, providing a significant per- 
formance advantage without additional system complexity. 


New features enhance multiprocessing systems. New instructions speed manipulation of 
memory-based semaphores. On-chip hardware ensures cache consistency and provides 
hooks for multi-level caching. 


The built-in self-test extensively tests on-chip logic, cache memory and the on-chip pag- 
ing translation cache. Debug features include ao oe on code execution and 
data accesses. | | 


Features of the Intel486 processor include: 


oe Full binary compatibility with Intel386 DX CPU, Intel386 SX CPU, Intel386 SL, 
376™ embedded processor, 80286, 8086, and 8088 processors. 


o Execution unit designed to execute frequently-used instructions in one clock cycle. 
o 32-bit integer processor for performing arithmetic and logical operations. 


e Internal or coprocessor floating-point unit (Intel486 FPU) for supporting the 32-, 64-, 
and 80-bit formats specified in IEEE standard 754 (object-code compatible with 
Intel387™ DX and Intel387 SX math coprocessors). 


e Internal 8-Kbyte cache memory, which Provides fast access to recently-used instruc- 
tions and data. 


o Bus control signals for maintaining cache consistency in multiprocessor systems. 


e Segmentation, a form of memory management for creating independent, penn 
address spaces. 


e Paging, a form of memory management which sioydes access to data structures 
larger than the available memory space by keeping them pays in memory and partly 
on disk. 


e Restartable instructions that allow a program to be restarted ‘ilove an exception 
(necessary for supporting demand-paged virtual memory). 


e Pipelined instruction execution overlaps the interpretation of different instructions. © 
e Debugging registers for hardware support of instruction and data breakpoints. 
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The Intel486 processors are object-code compatible with four other Intel386 processors: 


Intel386 DX Processor (32-bit data bus) — A cost- effective form for high-end personal 
computers and mid-range workstations. 


Intel386 SX Processor (16-bit data bus)—The Intel386 processor adapted for mid- 
range personal computers, which are sensitive to the higher system cost of a 32-bit 


bus. 


| Intel386 SL Processor (16-bit data bus) — ae high integtation: static Intel386 micropro- 


cessor with ISA peripheral subsystem and power management. 


376 Embedded Processor (16-bit data bus) —A reduced form of the Intel386 proces- 
sor optimized for embedded applications, such as process controllers. The 376 pro- 
cessor lacks the paging and 8086- -compatibility features provided in the Intel486 
processor. The 376 processor is available in a surface-mount plastic package, which 


. provides the lowest cost and smallest form factor for any implementation of the 
— Intel386 processor. a 


The operating mode of the Intel486 processor determines which instructions and archi- 
tectural features are accessible. The Intel486 processor has three modes for running 
programs: = 


Protected mode uses the native 32-bit instruction set of the processor. In this mode 
all instructions and architectural features are available. 


Real-address mode (also called “real mode’) emulates the programming environ- 
ment of the 8086 processor, with a few extensions (such as the ability to break out of 
this mode). Reset initialization places the processor into real mode. 


Virtual- 8086 mode (also called “V86 mode”) is another form of 8086 emulation 
mode. Unlike real-address mode, virtual-8086 mode is compatible with protection and 
memory-management. The processor can enter virtual-8086 mode from protected 
mode to run a program written for the 8086 processor, then leave virtual-8086 mode 
and re-enter protected mode to continue a program which uses the 32-bit instruction 


_ Set. 


1.1 ORGANIZATION OF THIS MANUAL 


This book presents the architecture of the Intel486 processor in five parts: 


Part I—Application Programming 


Part II1—System Programming 


Part IIJ— Numeric Processing 


Part IV—Compatibility 


Part v- Instruction Set 


Appendices 
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These divisions are determined by the architecture and by the ways programmers use 
this book. The first three parts are explanatory, showing the purpose of architectural 
features, developing terminology and concepts, and describing instructions as they relate 
to specific purposes or to specific architectural features. The remaining parts are refer- 
ence material for programmers developing software for the Intel486 processor. 


The first four parts cover the operating modes and protection mechanism of the Intel486 
processor. The distinction between application programming and system programming is 
related to the protection mechanism of the Intel486 processor. One purpose of protec- 
tion is to prevent applications from interfering with the operating system. For this rea- 
son, certain registers and instructions are inaccessible to application programs. The 
features discussed in Part I and Part III are those which are accessible to applications; 
the features in Part II are available only to programs running with special privileges, or 
programs running on systems where the protection mechanism is not used. 


The features available to application programs in protected mode and to all programs in 
virtual-8086 mode are the same. These features are described in Part I and Part III of 
this book. The additional features available to system programs in protected mode are 
described in Part II. Part IV describes real-address mode and virtual- 8086 mode, as well 
as how to run a mix of 16-bit and 32-bit programs. 


1.1.1 Part |—Application Programming 


This part presents the features used by most application programmers. It does not 
include features used in numeric applications, which are discussed in Part III. 


Chapter 2 — Basic Programming Model: Introduces the models of memory organization. 
Defines the data types. Presents the register set used by applications. Introduces the 
stack. Explains string operations. Defines the parts of an instruction. Explains address 
calculations. Introduces interrupts and exceptions as they apply to application 
programming. 


Chapter 3—Application Programming: Surveys the instructions. commonly used for 
application programming. Considers instructions in functionally related groups; for 
example, string instructions are considered in one section, while control-transfer instruc- 
tions are considered in another. Explains the concepts behind the instructions. Details of 
individual instructions are deferred until Part IV, the instruction-set reference. 


1.1.2 Part Il—System Programming 


This part presents the features used by operating systems, device drivers, debuggers, and 
other software which support application programs. Some additional information rele- 
vant to systems programming is presented in Part III. 
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Chapter 4— System Architecture: Describes the features of the Intel486 processor used 
by system programmers. Introduces the registers and data structures of the Intel486 
processor which are not discussed in Part I or Part HI. Introduces the system-oriented 
instructions in the context of the registers and data structures they support. References 
the chapters in which each register, data structure, and instruction is discussed in-more 
detail. 


Chapter 5 — — Memory Nidnaeencut Presents details of the data structures, registers, dnd 
instructions which support segmentation. Explains how system designers can choose 
between an unsegmented (“flat”) model of memory organization and a model with 
segmentation. | , 


Chapter 6 — Protection: Discusses protection as it applies to segments. Explains the 
implementation of privilege rules, stack switching, pointer validation, user and supervi- 
sor modes. Protection aspects of multitasking are deferred until the following chapter. 


Chapter 7 — Multitasking: Explains how the hardware of the Intel486 processor supports 
multitasking with context- pevuchine operations and intertask protection. | | 


Chapter §— Input/Output: Deserves the I/O features of the Intel486 processor, ‘adhe. 
ing I/O instructions, protection as it relates to I/O, and the I/O permission bit map. 


Chapter 9— Exceptions and Interrupts: Pxplains the basic interrupt mechanisms of the 
Intel486 processor. Shows how interrupts and exceptions relate to protection. Discusses 
all possible exceptions, listing causes and including buonmauon needed to handle and 
recover from each exception. 


Chapter 10— Initialization: Defines the condition of the processor after reset initializa- 
tion. Explains how to set up registers, flags, and data structures. Shows how to test the 
on-chip cache and the translation lookaside buffer. rowan an eratuple ofa an. See 
tion program. : : : 7 : 


Chapter l- 2Hebugsing: Tells Hew to use the debisenis Renton of the Intel486 
processor. 


Chapter 12—Caching: Explains the general concept of caching and the pecMne mecha- 
nisms used by the internal cache on the Intel486 eee oe, — 


Chapter 13 — Multiprocessing: eee the instructions and flaps amici support multiple 
processors with shared memory. 


1.1.3 Part IIl—Numeric Processing 


This part explains the floating-point arithmetic features of the Intel486 microprocessor 
family. These features are an object-code compatible implementation of the features 
provided by the Intel387 DX or SX math ae used with _ Intel386 DX or SX. 
processor. 
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Chapter 14— Introduction to Numeric Applications: Gives an overview of the floating- 
point.unit and reviews the concepts of numerical computation. 


Chapter 15— Architecture of the Floating-Point Unit: Presents the floating-point regis- 
ters and data types available to both applications and systems programmers. 


Chapter 16—Special Computational Situations: Discusses the special values that can be 
represented in the real formats of the Intel486 processor—denormal numbers, zeros, 
infinities, NaNs (Not a Number)—as well as the numerical exceptions. This chapter 
should be read thoroughly by systems programmers, but can be skimmed by applications 
programmers. Many of these special situations may never arise in applications programs. 


Chapter 17 — Floating-Point Instruction Set: Surveys the instructions commonly used for 
numeric processing. Details of individual instructions are deferred until Part V, the 
instruction-set reference. 


Chapter 18—Numeric Applications: Describes the Intel486 processor’s floating-point 
arithmetic facilities. Gives short programming examples in both oy language and 
high-level languages. 


Chapter 19—System-Level Considerations: Provides information of interest to systems 
soitware writers. 


Chapter 20 — Numeric Programming Examples: Provides detailed examples of assembly- 
language numeric programming with the Intel486 processor, including conditional 
branching, conversion between floating-point values and their ASCII representations, 
and use of trigonometric functions. 


1.1.4 Part lV— Compatibility 


This part explains the features of the architecture which support programs written for 
earlier Intel processors. The native mode of execution is an upward-compatible superset 
of the environment of the 286 and Intel386 processors. All three execution modes have 
support for 16-bit programming: 16-bit operations can be performed in protected mode 
using the operand-size prefix, programs written for the 8086 processor or the real mode 
of the 286 processor can run in real mode on the Intel386 DX or SX processor, and a 
virtual machine monitor can be used to emulate real mode using virtual- 8086 mode, even 
while multitasking with 32-bit programs. 


Chapter 21— Executing 286 and Intel386 DX or SX CPU Programs: Explains the pro- 
gramming differences between the 286 and Intel486 processors, and between the 
Intel386 DX and SX and Intel486 processors. 


Chapter 22—Real-Address Mode: Explains the real mode of the Intel486 processor. In 
this mode, the Intel486 processor appears as a fast real-mode 286 or Intel386 processor 
or a fast 8086 processor enhanced with additional instructions. 
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Chapter 23 — Virtual-8086 Mode: Describes how the Intel486 processor supports execu- 
tion of one or more 8086, 8088, 80186 or 80188 programs in an Intel486 processor 
protected-mode environment. 


Chapter 24 — Mixing 16- Bit and 32-Bit Code: Explains how the Intel486 processor can 
mix 16-bit and 32-bit modules within the same program or task. Any Daracular module 
can use both 16-bit and 32- bit operands and addresses. | | 


Chapter 25— — Compatibility with $087, Intel287, and Intel387 Math CoProcessors: Com- 
pares the floating-point unit of the Intel486 processors with the antarete of the numer- 
ics coprocessors used with earlier Intel processors. 7 


1.1.5 Part V—Instruction Set 


Parts I, I, and III present the general features of the instruction set as they relate to 
specific aspects of the architecture. Part V presents the instructions in alphabetical 
order, with. the detail needed by assembly language programmers and programmers of 
debuggers, compilers, operating systems, etc. Instruction descriptions include an algo- 
rithmic description of operations, effect of flag settings, effect on flag settings, effect of 
operand- and address-size attributes, and exceptions which may be generated. 


1.1.6 Appendices 


The appendices present tables of encodings and other details i in a format designed for 
quick reference by programmers. 


1.2 RELATED LITERATURE — 
The following books contain additional material related to Intel processors: 


Intel386™ Processor Hardware Reference Manual, Order Number 231732 

Intel386™ Processor System Software Writer’s Guide, Order Number 231499 | 
Intel386™ High-Performance 32-Bit CHMOS Microprocessor with Integrated Memory Man- 
agement, Order Number 231630 | ; 
376"™ Embedded Processor Programmer's Reference Manual, Order Number 240314, _ 
Intel386™ DX Processor Programmer’s Reference Manual, Order Number 230985 
Intel386™ SX Processor Programmer’s Reference Manual, Order Number 240331 — 

80387 Programmer’s Reference Manual, Order Number 231917 

376™ High-Performance 32-Bit Embedded Processor, Order Number 240182 

Intel386™ SX Microprocessor, Order Number 240187 | | 
50-MHz Intel486™ DX CPU-Cache Chip Set Hardware Reference Manual, Order Neuve: 
241172 

50-MHz Intel486™ DX CPU-Cache Module Hardware Tees Manual, oe eae 
241091 | 2 7 
Microprocessor and evipheral Handbook (vol. 1), Order Number 230843 
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The Intel486™ Microprocessor Hardware Reference Manual is the companion of this book 
for use by hardware designers. It contains. information which may be useful to program- 
mers, especially system programmers..Order Number 240552 


The Intel486™ Microprocessor Data Book (Order Number 240440), Intel486™ DX2 Micro- 
processor Data Book (Order Number 241245-001), and Intel486™ SX CPU/Intel487™ SX 
Math CoProcessor Data Book (Order Number 240950-002) contains the latest informa- 
tion regarding device parameters (voltage levels, bus cycle timing, priority of simulta- 
neous exceptions and interrupts, etc.). | : ee 


The Intel486™ Microprocessor Product Brief Book describes many related products com- 
monly used with Intel486 CPU. Order Number 240459 _ a 7 


1.3 NOTATIONAL CONVENTIONS 


This manual uses special notation for data-structure formats, for symbolic representation 
of instructions, and for hexadecimal numbers. A review of this notation makes the man- 
ual easier to read. : o o 


1.3.1 Bit and Byte Order 


In illustrations of data structures in memory, smaller addresses appear toward the bot- 
tom of the figure; addresses increase toward the top. Bit. positions aré numbered from 
right to left. The numerical value of a set bit is equal to two raised to the power of the bit 
‘position. The Intel486 processor is a “little endian” machine; this means the bytes‘of a 
word are numbered starting from the least significant byte. Figure 1-1 illustrates these 
conventions. su coe 


DATA STRUCTURE 


<—BIT OFFSET — 


GREATEST 28 


3 


a SMALLEST: 


| BYTE3 BYTE2 BYTE1 BYTEO | 0 ,ppRESS 


' BYTEOFFSET = 


fas 


1 — 23. — 15 7 
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_ Figure 1-1. Bit and Byte Order | 


1-7 


intel. INTRODUCTION TO THE Intel486™ MICROPROCESSOR FAMILY 


Numbers are usually expressed in decimal notation (base 10). When hexadecimal 
(base 16) numbers are used, they are indicated by an ‘H’ suffix. - 3 , 


1.3.2 Undefined Bits and Software Compatibility | 


In many ree and memory layout descriptions, certain bits are marked as seca: 
When bits are marked as undefined or reserved, it is essential for compatibility with 
future processors that software treat these bits as having a future, though unknown, 
effect. Software should follow these guidelines 1 in dealing with reserved bits: 


© Do not depend on the states of any reserved bits when testing the values of reer 
which contain such bits. Mask out the reserved bits before testing. 


e Do not depend on the states of any reserved bits when stone: to memory. or "to a 
register. 


e Do not depend on the ability to retain information written into any reserved bits. 

e When loading a register, always load the reserved bits with the values indicated in the 
documentation, if any, or reload them with values previously stored from the same 
register. 


NOTE 


. Depending upon 1 the Wulies Of. reserved register bits will make software dependent upon oe 
the unspecified manner in which the Intel486 processor handles these bits. Depending _ 

_ -upon reserved values risks incompatibility with future processors. AVOID ANY SOFT- © 
WARE DEPENDENCE UPON THE STATE OF RESERVED Intel486 PROCESSOR © 
REGISTER BITS. 


1.3.3 Instruction Operands 
When instructions are represented symbolically, a subset of the assembly language for 
the Intel486 processor is used. In this subset, an instruction has the following format: 


label: mnemonic argument1, argument2, argument3 


where: Oo 
e A label is an identifier which is followed by a colon. 


e A mnemonic is a reserved name for a class of instruction opcodes which have the 
- game function. ° . a . 


e The operands anon: auanene: and aes are epcoual There may be from | 
zero to three operands, depending on the opcode. When present, they take the form 
of either literals or identifiers for data items. Operand identifiers are either reserved 

Names of registers or are assumed to be assigned to data items declared in another 
part of the program (which may not be shown in the example). 


1-8 


INTRODUCTION TO THE Intel486™ MICROPROCESSOR FAMILY 


“When two operands are present in an arithmetic or logical instruction, the right oper- 
and is the source and the left operand is the destination. Some asseulbly languages 
_ put the source and destination in reverse order. 


For example: 
LOADREG: MOV EAX, SUBTOTAL 


In this example LOADREG is a label, MOV is the mnemonic identifier of an ee? 
EAX is the destination operand, and SUBTOTAL is the source operand. 


1.3.4 Hexadecimal Numbers 


Base 16 numbers are represented by a string of hexadecimal digits followed by the char- 
acter H. A hexadecimal digit is a character from the set (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, 
_C, D, E, F). A leading zero is added if the number would otherwise begin with one of the 
digits A-F. For example, OFH is equivalent to the decimal number 15. 


1.3.5 Segmented Addressing 


The Intel486 processor uses byte addressing. This means memory is organized and 
accessed as a sequence of bytes. Whether one or more bytes are being accessed, a byte 
number is used to address memory. The memory which can be addressed with this 
number is called an address space. 


The Intel486 processor also supports segmented addressing. This is a form of addressing 
where a program may have many independent address spaces, called segments. For 
example, a program can keep its code (instructions) and stack in separate segments. 
Code addresses would always refer to the code space, and stack addresses would always 
refer to the stack space. An example of the notation used to show segmented addresses 
is shown below. | 


CS:EIP 


This example refers to a byte within the code ScemEne The byte number is held in the 
EIP register. 


1.3.6 Exceptions 


An exception is an event which occurs when an instruction causes an error. For example, 
an attempt to divide by zero generates an exception. There are several different types of 
exceptions, and some of these types may provide error codes. An error code reports 
additional information about the error. Error codes are produced only for some excep- 
tions. An example of the notation used to show an exception and error code is shown 
below. 


#PF(fault code) 
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This example refers to a page-fault exception under conditions where an error code 
naming a type of fault is reported. Under some conditions, exceptions which produce 
error codes may not be able to report an accurate code. In this case, the error code is 
zero, as shown below. | 


#PF(0) 


Part | 
Application Programming 


Basic Programming Model 2 


CHAPTER 2 | 
BASIC PROGRAMMING MODEL 


This chapter describes the application programming environment (except for the 
floating-point features) as seen by assembly-language programmers. The chapter intro- 
duces the architectural features which directly affect the design and implementation of 
spencanen propsanis: Floating-point applications are described separately in Part III. 


The basic programming model consists of these parts: 
e Memory organization 

e Data types 

e Registers me 

e Instruction format 

e Operand selection 

‘ menue and ence Dions, 


Note that iapudourpiita is not iicladed as pai of the basic programming model. System 
designers may choose to make I/O instructions available to applications or may choose to 
reserve these functions for the operating 2 ee For this reason, un I/O features of the 
Intel486 processor are discussed in Part II. : _—. 


This chapter contains a section for each feature of the architecture normally isible't to 
penne 3 : | 


2.1 MEMORY ORGANIZATION 

The memory on the bus of an Intel486 processor is called physical memory. It is orga- 
nized as a. sequence of 8-bit bytes. Each byte is assigned a unique address, called a 
physical address, which ranges from zero to a maximum of 2°*—1 (4 gigabytes). Memory 
management is a hardware mechanism for making reliable and efficient use of memory. 


When memory management is used, programs do not directly address physical memory. 
Programs address a memory model, called virtual memory. 


Memory management consists of segmentation and paging. Segmentation is a mecha- 
nism for providing multiple, independent address spaces. Paging is a mechanism to sup- 
port a model of a large address space in RAM using a small amount of RAM and some 
disk storage. Either or both of these mechanisms may be used. An address issued by a 
program is a logical address. Segmentation hardware translates a logical address into an 
address for a continuous, unsegmented address space, called a linear address. eens 
hardware translates a linear address into a | physical address. 


Memory may appear as a single, addressable space like physical memory. Or, it may 
appear as one or more independent memory spaces, called segments. Segments can be 
assigned specifically for holding a program’s code (instructions), data, or stack. In fact, a 
single program may have up to 16,383 segments of different sizes and kinds. Segments 
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can be used to increase the reliability of. programs ag systems.. For example, a pro- 
gram’s stack can be put into a different segment than its code to prevent the stack from 
prowling? into the code vee and vera instructions pl data. 


Whether ¢ or not fuldple segments are used, seca saaneces are translated i into ined 
addresses by treating the address as an offset into a segment. Each segment has a seg- 
ment descriptor, which holds its base address and size limit. If the offset does not exceed 
the limit, and no other condition exists which would prevent reading the oe as oe 
oltsc! and base address are added together to form the linear address. | 


The linear address produced by segmentation is used directly as athe siveical address if © 
bit 31 of the CRO register is clear (the CRO register is discussed in Chapter 4). This 
register bit controls whether paging is used or not used. If the bit is set, the paging 
_ hardware is used to translate the linear address into the physical address. — 


The paging hardware gives another level of organization to memory. It breaks the linear 
address space into fixed blocks of 4K bytes, called pages. The logical address space is 
mapped into the linear address space, which is mapped into some number of pages. A 
page may be in memory or on disk. When a logical address is issued, it is translated into 
an address for a page in memory, or an exception is issued. An exception gives the 
operating system a chance to read the page from disk and update the page mapping. The 
program which generated the exception then can. be restarted without generating an 
oe pon: 


If multiple segments are used, they are part of the programming environment seen by 
application programmers. If paging is used, it is normally invisible to the application 
programmer. It only becomes visible when there is an interaction between the applica- 
tion program and the paging algorithm used by the operating system. When all of the 
pages in memory are used, the operating system uses its paging algorithm to decide 
which memory pages should be sent to disk. All paging algorithms (except random algo- 
rithms) have some kind of worst- -case behavior which may pe exercised by some kinds of 
application programs. 


The architecture of the Intel486 processor gives designers the freedom to choose a dif- 
' ferent memory model for each program, even when more than one program is running at 

the same time. The model of memory organization can range between the following 
extremes: : . 


° A “flat” address” space where the code, stack, and ea spaces are apnea to tie: 
‘same linear addresses. To the greatest extent possible, this eliminates Seementauon 
_ by allowing any type of memory reference to access. any type of data. | | 


0 A segmented address space with separate. segments for the code, data, and stack | 
spaces. As many as 16,383 linear address spaces of up to 4 gigabytes each can be used. 


Both models can oe memory. protection. “Models intermediate between these 
extremes also can be chosen. The reasons for choosing a particular memory model and 
the manner in which system programmers implement a model are discussed in Part II— 
System Programming. 
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2.1.1 Unsegmented or “Flat” Model 


The simplest memory model is the flat model. Although there isn’t a mode bit or control 
register which turns off the segmentation mechanism, the same effect can be achieved by 
mapping all segments to the same linear addresses. This will cause all memory opera- 
tions to refer to the same memory space. 


In a flat model, segments may cover the entire 4 gigabyte range of physical addresses, or 
they may cover only those addresses which are mapped to physical memory. The advan- 
tage of the smaller address space is it provides a minimum level of hardware protection 
against software bugs; an exception will occur if any logical address refers to an address 
for which no memory exists. . 


2.1.2 Segmented Model 


In a segmented model of memory organization, the logical address space consists of as 
many as 16,383 segments of up to 4 gigabytes each, or a total as large as 2*° bytes (64 
terabytes). The processor maps this 64 terabyte logical address space onto the physical 
address space (up to 4 gigabytes) by the address translation mechanism described in 
Chapter 5. Application programmers may ignore the details of this mapping. The advan- 
tage of the segmented model is that offsets within each address space are Reparetcly 
checked and access to each segment can be individually controlled. 


A pointer into a segmented address ‘Space consists of two parts (see Figure 2-1). 
1. A segment selector, which is a 16-bit field which identifies a segment. 
2. An offset, which is a 32-bit byte address within a segment. 


_ The processor uses the segment selector to find the linear address of the beginning of 
the segment, called the base address., Programs access memory using fixed offsets from 
this base address, so an object-code module may be loaded into memory and run without 
changing the addresses it uses (dynamic linking). The size of a segment is defined ay the 
programmer, so a tseerncut can be exactly the size of the module it contains. : 


2. 2 DATA TYPES 


Bytes, words, and doublewords are the sancoale data types (sie Figure 2- 9) A byte is 
eight bits. The bits are numbered 0 through 7, bit 0 being the least significant bit (LSB). 


A word is two Biles occupying any two consecutive addresses. A word contains 16 bits. 
The bits of a word are numbered from 0 through 15, bit 0 again being the least signifi- 
cant bit. The byte containing bit 0 of the word is ‘called the low byte; the byte containing 
bit 15 is called the high byte. On the Intel486 processor, the low byte is stored in the byte 
with the lower address. The address of the low byte also is the address of the word. The 
address of the high byte is used only when the upper half of the word i is being accessed 
separately from the lower half. ~ 
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Figure 2-1. Segmented Addressing 
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A doubleword is four bytes occupying any four consecutive addresses. A doubleword 
contains 32 bits. The bits of a doubleword are numbered from 0 through 31, bit 0 again 
being the least significant bit. The word containing bit 0 of the doubleword is called the 
low word; the word containing bit 31 is called the high word. The low word is stored in 
the two bytes with the lower addresses. The address of the lowest byte is the address of 
the doubleword. The higher addresses are used only when the upper word is being 
accessed separately from the lower. word, or when individual bytes are being accessed, 
Figure 2-3 illustrates the arrangement of bytes within words and doublewords. 


Note that words do not need to be aligned at even- si beee addresses and double- 
words do not need to be aligned at addresses evenly divisible by four. This allows maxi- 
mum flexibility in data structures (e.g., records containing mixed byte, word, and 
doubleword items) and efficiency in memory utilization. Because the Intel486 processor 
has a 32- bit data bus, communication between processor and memory takes place as 
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| BYTE BYTE . 


15 7 0 


HIGH BYTE LOW BYTE WORD 


address N+1 | address N 


31 15 0 


address N+3 address N+ 2 address N+1 address N 
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Figure 2-2. Fundamental Data Types 


DOUBLEWORD AT ADDRESS A 
CONTAINS 7AFE0636 


WORD AT ADDRESS B CONTAINS FE06 | 


4 


BYTE AT ADDRESS 9 CONTAINS 1F 


+ 


WORD AT ADDRESS 6 CONTAINS 230B 


WORD AT ADDRESS 2 CONTAINS 74CB 


WORD AT ADDRESS 1 CONTAINS CB31 
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_ Figure 2-3. Bytes, Words, and Doublewords in Memory 
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doubleword transfers aligned to addresses evenly divisible by four; the processor con- 


-verts doubleword transfers aligned to other addresses into multiple transfers. These 


unaligned operations reduce speed by requiring extra bus cycles. For maximum speed, 
data structures (especially stacks) should be designed so, whenever possible, word oper- 
ands are aligned to even addresses and doubleword operands are aligned to addresses 
evenly divisible by four. | 


Although bytes, words, and doublewords are the fundamental types of operands, the 
processor also supports additional interpretations of these operands. Specialized instruc- 
tions recognize the following data types (shown i in Figure 2-4): 


Integer: A signed binary number held in a 32- bit doubleword, 16-bit word, | or 8-bit 
byte. All operations assume a two’s complement representation. The sign bit is 


_ located in bit 7 in a byte, bit.15 in a word, and bit 31 in a doubleword: The sign bit is 


set for negative integers, clear for positive integers and zero. The value of an 8-bit 
integer is from —128 to = 127; a 16-bit integer from —32,768 to + 32,767; a 32- bit 
integer from aT a ee ieee O 


Ordinal: An unsigned binary number contained in a 32-bit doubleword, 16-bit word, 
or 8-bit byte. The value of an 8-bit ordinal is from 0 to 255; a 16-bit ordinal from 0 to 


65, 535; a 32-bit ordinal from 0 to DP a 1. 


Near Pointer: A 32-bit logical address. A near soni? is an sfiset Sn a scetnent 
Near pointers are used for all pointers in a flat memory model, or for references 
within a segment ina segmented model. 


Far Pointer: A 48-bit logical address consisting of a 16. bit coment selector and a 


32-bit offset. Far pointers are used in a segmented memory model to. access other 
segments. as a _ | : 


String: A cng sequence of ee words, or doublewords. A string may contain 
from zero to 2°* — 1 bytes (4 gigabytes). 


Bit field: A Seer sequence of bits. A bit field may begin a at any bit position of 
any byte and may contain up to 32 bits. 


Bit string: A contiguous sequence of bits. A bit string may begin at any bit position of 
any byte and may contain up to 2°? — 1 bits. 


BCD: A representation of a binary-coded decimal (BCD) digit in the range 0 through 


9, Unpacked decimal numbers are stored as unsigned byte quantities. One digit is 


stored in each byte. The magnitude of the number is the binary value of the low-order 
half-byte; values 0 to 9 are valid and. are interpreted as the value of a digit. The 
high-order half-byte must be zero during multiplication and division; it may contain 
any value during addition and subtraction. | 


Packed BCD: A representation of binary-coded decimal digits, each in the range 0 to 
9. One digit is stored in each half-byte, two digits in each byte. The digit in bits 4 to 7 


is more significant than the digit 1 in bits 0 to 3. Values Q to 9 are valid for a digit. 


Floating-Point Types: For a discussion of the data types. used by floating- point instruc- 
tions, see Chapter 15. 
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BYTE INTEGER 
7-BIT MAGNITUDE 
'_BIT SIGN 


WORD INTEGER 
15-BIT MAGNITUDE 
1-BIT SIGN 


DOUBLEWORD INTEGER 
31-BIT MAGNITUDE 
_ 1-BIT SIGN 


BYTE ORDINAL © 
8-BIT MAGNITUDE 


WORD ORDINAL 
16-BIT MAGNITUDE 


DOUBLEWORD ORDINAL 
32-BIT MAGNITUDE 


BCD INTEGER 
4-BIT DIGIT PER BYTE 
4.BIT DIGIT PER BYTE - 


PACKED BCD INTEGER 
4-BIT PER HALF-BYTE 
4-BIT PER HALF-BYTE 


NEAR POINT 
32-BIT OFFSET 
4-BIT DIGIT PER BYTE 


FAR POINTER 
32-BIT OFFSET 
16-BIT SELECTOR 


BIT FIELD 
UP TO 32 BITS 


BIT STRING 
UP TO 4 GIGABITS 


BYTE STRING 
UP TO 4 GIGABYTES 
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Figure 2-4. Data Types 
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2.3 REGISTERS 


The Intel486 processor contains sixteen registers which may be used by an application 
‘programmer. as Pigure. 2- 5 shows, these. Tegisters may be grouped as: | 


| A. General reels! These eight 32-bit foeer are free for use by the programmer. : 


2, Segment registers. These registers hold-segment selectors associated with different 
forms of memory access. For example, there are separate segment registers for 
access to code and stack space. These six registers determine, at any given time, 
which. segments of mon are a available. 


3. ‘Status and Reateal resistets. ‘These registers report and allow modification of the 
state of the Intel486 processor. | 


2.3.1 General neaeers 


The general registers are the 32-bit registers EAX, EBX, ECX, EDX, EBP, ESP, ESI, 
and EDI. These registers are used to hold operands for logical and arithmetic opera- 
tions. They also may be used to hold operands for address calculations (except the ESP 
register cannot be used as an index operand). The names of these registers are derived 
from the names of the general registers on the 8086 processor, the AX, BX, CX, DX, 
BP, SP, SI, and DI registers. As Table. 2-1 shows, the low 16 bits of the general registers 
can be REICTENECY ne these names. | 


Each oe of the a ie AX, BX, CX, | and DX also have other names. The byte 
registers are named AH, BH, CH, and DH (high cia and AL, BL, CL, and DL von 
ey | 


Table 54 nesicty Nance 
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GENERAL REGISTERS 


16-BIT — 32-BIT 
AX AX 
DX ‘EDX 
CX. | ECX. 


BX EBX 
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Figure 2-5. Application Register Set 
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All of the general-purpose registers are available for address calculations and for the 
results of most arithmetic and logical operations; however, a few instructions assign 
specific registers to hold operands. For example, string instructions use the contents of 
the ECX, ESI, and EDI registers as operands. By assigning specific registers for these 
functions, the instruction set can be encoded more compactly. The instructions using 
specific registers include: double-precision multiply and divide, es strings, translate; 
loop, variable shift and rotate, and “ eg 


2.3.2 Segment Registers 


Segmentation gives system seam the flexibility to choose among various ‘models of — 
memory organization. pepe cnianen of inemory models is the euniedt of pant 
I— System Programming. : 


The segment reidies contain 16-bit segment selectors, which index into tables in mem- 
ory. The tables hold the base address for each segment, as well as other information 
regarding memory access. An unsegmented model is created by mappne each segment 
to the same place in physical memory, as shown in Figure 2-6. | 


At any instant, up to six segments of memory are immediately available. The segment 
registers CS, DS, SS, ES, FS, and GS hold the segment selectors for these six segments: 
Each register is associated with a particular kind of memory access (code, data, or stack). 
Each register specifies a segment, from among the segments used by the program, which 
is used for its kind of access (see Figure 2-7). Other segments can be used by pags 
their segment selectors into the segment registers. 


DIFFERENT LOGICAL SEGMENTS _ ONE PHYSICAL ADDRESS SPACE 


GS Ff 
FS | 
ES | 
DS 
cs 


ss | 
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| Figure 2-6. An Unsegmented Memory 
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DIFFERENT LOGICAL SEGMENTS DIFFERENT ADDRESS SPACE 
| . IN PHYSICAL MEMORY 


CODE 
SEGMENT : 


STACK 
SEGMENT 


DATA 
SEGMENT 
DATA 
SEGMENT 
DATA . 
_ SEGMENT 


DATA 
SEGMENT 
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Figure 2-7. A Segmented Memory 


The segment containing the instructions being executed is called the code segment. Its 
segment selector is held in the CS register. The Intel486 processor fetches instructions 
from the code segment, using the contents of the EIP register as an offset into the 
segment. The CS register is loaded as the result of interrupts, exceptions, and instruc- 
tions which transfer control between segments (e.g., the CALL, IRET and JMP 
instructions). | | 


Before a procedure is called, a region of memory needs to be allocated for a stack. The 
stack is used to hold the return address, parameters passed by the calling routine, and 
temporary variables allocated by the procedure. All stack operations use the SS register 
to find the stack segment. Unlike the CS register, the SS register can be loaded explic- 
itly, which permits application programs to set up stacks. | | 


The DS, ES, FS, and GS registers allow as many as four data segments to be available 
simultaneously. Four data segments give efficient and secure access to different types of 
data structures. For example, separate data segments can be created for the data struc- 
tures of the current module, data exported from a higher-level module, a dynamically- 
created data structure, and data shared with another program. If a bug causes a program 
to run wild, the segmentation mechanism can limit the damage to only those segments 
allocated to the program. An operand within a data segment is addressed by specifying 
its offset either in an instruction or a general register.. | 
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Depending on the structure of data (i.e., the way data is partitioned into segments), a 
program may require access to more than four data segments. To access additional 
segments, the DS, ES, FS, and GS registers can be loaded by an application program 
-during execution. The only requirement is to load the appropriate segment register 
before accessing data in its segment. | 


A base address is kept for each segment. To address data within a segment, a 32-bit 
offset is added to the segment’s base address. Once a segment is selected (by loading the 
segment selector into a segment register), an instruction only needs to specify the offset. 
Simple rules define which segment register is used to form an address when only an 
offset is specified. | 


2.3.3 Stack Implementation 


Stack operations are supported by three registers: 


1. Stack Segment (SS) Register: Stacks reside in memory. The number of stacks in a 
system is limited only by the maximum number of segments. A stack may be up to 4 
gigabytes long, the maximum size of a segment on the Intel486 processor. One stack 
is available at a time—the stack whose segment selector is held in the SS register. 
This is the current stack, often referred to simply as “the” stack. The SS register is 
used automatically by the processor for all stack operations. 


2. Stack Pointer (ESP) Register: The ESP register holds an offset to the top-of-stack 
(TOS) in the current stack segment. It is used by PUSH and POP operations, sub- 
routine calls and returns, exceptions, and interrupts. When an item is pushed onto 
the stack (see Figure 2-8), the processor decrements the ESP register, then writes 
the item at the new TOS. When an item is popped off the stack, the processor 
copies it from the TOS, then increments the ESP register. In other words, the stack 
grows down in memory toward lesser addresses. | 


3. Stack-Frame Base Pointer (EBP) Register: The EBP register typically is mused: to 
access data structures passed on the stack. For example, on entering a subroutine 
the stack contains the return address and some number of data structures passed to 
the subroutine. The subroutine adds to the stack whenever it needs to create space 
for temporary local variables. As a result, the stack pointer moves around as tempo- 
rary variables are pushed and popped. If the stack pointer is copied into the base 
pointer before anything is pushed on the stack, the base pointer can be used to 
reference data structures with fixed offsets. If this is not done, the offset to access a 

_ particular data structure would change whenever a pe ance variable iS allocated 
or de-allocated. 


When the EBP register is used to address 1 memory, the current stack segment iS 

— selected (i. e., the SS segment). Because the stack segment does not have to be 
specified, instruction encoding is more ee ide The EBP rene also can be used 
to address other segments. 


Instructions, such as the ENTER and LEAVE. instructions, are provided which 
automatically set up the EBP register for convenient access to variables. | 
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STACK SEGMENT 


BOTTOM OF STACK 
(INITIAL ESP VALUE) 


31 0 


TOP OF STACK 


PUSHES PUT THE POPS PUT THE 
TOP OF STACK AT . . TOP OF STACK AT — 
LOWER ADDRESSES . HIGHER ADDRESS 


Figure 2-8. Stacks 
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2.3.4 Flags Register 

Condition codes (e.g., carry, sign, overflow) and mode bits are kept in a 32-bit register 
named EFLAGS. Figure 2-9 defines the bits within this register. The flags control cer- 
tain operations and indicate the status of the Intel486 processor. 


The flags may be considered in three groups: status flags, control flags, and system flags. 
Discussion of the system flags occurs in Part II. 


2.3.4.1 STATUS FLAGS 

The status flags of the EFLAGS register report the kind of result produced from the 
execution of arithmetic instructions. The MOV instruction does not affect these flags. 
Conditional jumps and subroutine calls allow a program to sense the state of the status 
flags and respond to them. For example, when the counter controlling a loop is decre- 
mented to zero, the state of the ZF flag changes, and this change can be used to sup- 
press the conditional jump to the start of the loop. 


The status flags are shown in Table 2-2. 


2.3.4.2 CONTROL FLAG 
The control flag DF of the EFLAGS register controls string instructions. 
DF (Direction Flag, bit 10) 
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09876543210 


i 


11 1 
7654 2 


_ ALIGNMENT CHECK nis 
VIRTUAL 8086 MODE (VM) 
RESUME FLAG (RF) 
NESTED TASK (NT)— 

/O PRIVILEGE LEVEL (IOPL) 
OVERFLOW FLAG (OF) 
DIRECTION FLAG (DF) 
INTERRUPT ENABLE FLAG (IF) 
TRAP FLAG (TF) 

SIGN FLAG (SF)- 

ZERO FLAG (ZF) ——— 
AUXILIARY CARRY FLAG (AF) 
PARITY FLAG (PF)- 

CARRY FLAG (CF) 


NONNWMWM KK OW KK KK 


INDICATES A STATUS FLAG» 
INDICATES A CONTROL FLAG 
INDICATES A SYSTEM FLAG 


xO” 


BIT POSITIONS SHOWN AS 0 OR 1 ARE INTEL RESERVED. 
DO NOT USE. ALWAYS SET THEM TO THE VALUE PREVIOUSLY READ. 


th de ee 240486i2-9 
Figure 2-9. EFLAGS Register 
Table 2-2. Status Flags 

a 


overflow Result exceeds positive or negative limit of number range 
sign . Result is negative (less than ee) 


— zero | : Result is zero 


. auxiliary carry Carry out of bit. position 3 (used for BCD) i 
parity _ Low byte of result has even parity (even number of set tits) 
carry flag | Carry out of most significant bit of result 7 


Setting the DF flag causes string instructions to auto-decrement, that is, to process 
strings from high addresses to low addresses. Clearing the DF flag causes string instruc- 
tions to auto-increment, or to process strings from low addresses to high addresses. 


2.3.4.3 INSTRUCTION POINTER 


The instruction pointer (EIP) register contains the offset in the current code segment for 
the next instruction to execute. The instruction pointer is not directly available to the 
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programmer; it is controlled implicitly by control-transfer instructions (jumps, returns, 
etc.), interrupts, and exceptions. . 


The EIP register is advanced from one instruction boundary to the next. Because of 
instruction prefetching, it is only an approximate indication of the bus activity which 
loads instructions into the processor. 


The Intel486 processor does not fetch single instructions. The processor prefetches 
aligned 128-bit blocks of instruction code in advance of instruction execution. (An 
aligned 128-bit block begins at an address which is clear in its low four bits.) These 
blocks are fetched without regard to the boundaries between instructions. By the time an 
instruction starts to execute, it already has been loaded into the processor and decoded. 
This is a performance feature, because it allows instruction execution to be overlapped 
with instruction prefetch and decode. 


When a jump or call is executed, the processor prefetches the entire aligned block con- 
taining the destination address. Instructions which have been prefetched or decoded are 
discarded. If a prefetch would generate an exception, such as a prefetch beyond the end 
of the code segment, the exception is not reported until the execution of an instruction 
containing at least one exception-generating byte. If the instruction is discarded, no 
exception is generated. 


In real mode prefetching may cause the processor to access addresses not anticipated by 
programmers. In protected mode exceptions are correctly reported when these addresses 
are executed. There may not be hardware mechanisms which account for real mode 
behavior of the processor. For example, if a system does not return the RDY# signal 
(the signal which terminates a bus cycle) for bus cycles to unimplemented addresses, 
prefetching must be prevented from referencing these addresses. If a system implements 
parity checking, prefetching must be prevented from accessing addresses beyond the end 
of parity-protected memory. (Alternatively, RDY# can be returned even for bus cycles 
to unimplemented addresses, and parity errors can be ignored on prefetches beyond the 
end of parity-protected memory.) | 


Prefetching can be kept from referencing a particular address by placing enough dis- 
tance between the address and the last executable byte. For example, to keep prefetch- 
ing away from addresses in the block from 10000H to 1000FH, the last executable byte 
should be no closer than OFFEEH. This places one free byte followed by one free, 
aligned, 128-bit block between the last byte of the last instruction and the address which 
must not be referenced. The prefetching behavior of the Intel486 processor is 
implementation-dependent; future Intel products may have different prefetching 
_ behavior. | | 


2.4 INSTRUCTION FORMAT 


The information encoded in an instruction includes a specification of the operation to be 
performed, the type of the operands to be manipulated, and the location of these oper- 
ands. If an operand is located in memory, the instruction also must select, explicitly or 
implicitly, the segment which contains the operand. 
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An instruction may have various parts and formats.’ The exact format of instructions is 
shown in Appendix A; the parts of an instruction are described below.. Of these parts, 
only the opcode is always present. The other parts may or may not be present, depending 
on the operation involved and the location and type of the oa The Den oe an 
instruction, in order of occurrence, are listed below: = | OE i 


° Prefixes: one or more bytes preceding.an instruction which modify the operation of 
the instruction. ‘The following prefixes « can. be used by application programs: 


| i. Segment override — explicitly specifies which segment register an “instruction 
| ‘Should use, instead of the. default Segment Se | 


We Address size switches between 16-.and 32- bit addressing. Bither size can be the 
default; this prefix selects the non-default size. 


3. Operand size —switches between 16- and 32-bit data size. Either: size can be the 
| default; this, prefix selects the. non- default Size. Be sgn ts = 


4. Repeat — used with a string instruction to. cause thet instruction to be repeated. for 
each element of the. string... Me oe tbe , | 


e Opcode: specifies the operation performed by the instruction. Some spe raters have 
- severe) a Oped ss ean ie aa a CL som of ie oan 


| ° Register specifier: 2 an instruction may specily one or two. register operands. Register 
specifiers occur either in the same byte. a: as the opeode or in the same byte as, oe 
| _addressing- -mode specifier. - | | 


° sMGldxessinginoile specifier: salen present, specifies whether an operand is a register 
or memory location; if in memory, ‘specifies: ‘whether a mdlisplacement; a base a 
an index RICeISich and scaling are to be used. . . | : 


e SIB (scale, index, base) byte: when the addressing- mode specifier indicates’ an index 
register will be used to calculate the address of an opérand, a SIB byte is included in 
the instruction to encode the base register, the index Tegister, and a scaling factor. 


° Hisplacsnent Shed ihe ner renee ye saidieatee 2 a udder ent will be 
used to compute the address of an operand, the. displacement is encoded in. the 
instruction. A displacement is a signed integer of 32, 16, or 8 bits. The 8-bit form is 
used in the common case when the displacement is sufficiently small. The processor 
extends an 8-bit displacement to 16 or 32 bits, taking into account the ee 


e Immediate operand: when present, directly provides the wane of an aspect Imme- 
diate. operands may be bytes; words, or doublewords. In cases where an 8-bit imme- 

_ diate operand is used with a 16- or 32-bit operand, the processor extends the eight-bit 
- Operand to an integer of the same sign and maeneues? in the clans size. In the same 
way, a 16-bit operand is extended to 32-bits. | eG Pe | | 
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2.5 OPERAND SELECTION 


An instruction acts on zero or more aperande An staple of a zero-operand instruction 
is the NOP instruction (no operation). An operand can be held in any of these places: 


e In the instruction itself (an immediate operand). 


e Ina register (in the case of 32-bit operands, EAX, EBX, ECX, EDX, ESI, EDI, ESP, 
or EBP; in the case of 16-bit operands AX, BX, CX, DX, SI, DI, SP, or BP; in the 
case of 8-bit operands AH, AL, BH, BL, CH, CL, DH, or DL; the segment registers; 
or the EFLAGS register for flag operations). Use of 16-bit register operands requires 
use of the 16-bit operand size prefix (a byte with the value 67H preceding the 
instruction). 


e In memory. 


eo At an I/O port. © 


Access .to operands. is very fast. Register and immediate operands are available 
on-chip — the latter. because they are prefetched as part of interpreting the instruction. 
Memory operands ee in the on-chip cache can be accessed just as fast. 


Of the ‘ietrucHonewhich have ae eae some epenity operands caplictly others specify 
operands explicitly; still others use a combination of both. For example: 


Implicit operand: AAN 


By definition, AAM (asc adjust for multiplication) operates” on. the contents of 
the AX register. 


Explicit operand: XCHG EAX, EBX 
The operands to be exchanged are encoded in the instruction with the opcode. 
Implicit and explicit operands: PUSH COUNTER 


The memory variable COUNTER (the explicit operand) is copied to the top of the 
stack (the implicit operand). — 


Note that most instructions have implicit operands. All arithmetic instructions, for exam- 
ple, ape the eee heen 


An instruction can eile referenee: one or ‘two apeaides Two- opera instructions, 
such as MOV, ADD, and XOR, generally overwrite one of the two participating oper- 
ands with the result. This is, the difference between the source operand (the one unaf- 
fected by the operation) and the destination operand (the one overwritten by the result). 
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For most instructions, one of the two explicitly specified operands— either the source or 
the destination —can be either in a register or in memory. The other operand must be in 
a register or it must be an immediate source operand. This puts the el two- aperend 
instructions into the following groups: 


e Register-to register 

e Register to memory 

° Memory to register 

e Immediate to register 

533 Immediate to memory | 

Certain string instructions and stack manipulation instructions, however, transfer data 
from memory to memory. Both operands of some string instructions are in memory and 


are specified implicitly. Push and pop stack operations allow aust between memory 
operands and the memory-based stack. 


Several three- operand instructions are provided, such as the IMUL, SHRD, and SHLD 
instructions. Two of the three operands are specified explicitly, as for the two- -operand 
instructions, while a third is taken from the ECX register or supplied as an immediate. 
Other three- -operand instructions, such as the string instructions when used with : a popes 
prefix, take all their epee from Tegistels: | | | | 

2.5.1 immediate Operands 

Certain instructions use data from the instruction itself as one (and sometimes two) of 
the operands. Such an operand is called an immediate operand. It may be a byte, word, 


or doubleword. For example: 


SHR PATTERN, ¢ 


One byte of the instruction holds the value 2, the number of bits by which to shift the 
variable PATTERN. 


TEST PATTERN, OFFFFOOFFH 


A doubleword of the instruction holds the mask which is used to test the variable 
PATTERN. 


IMUL CX, nee 3 
A word in no 1S ea by an euneaiate 3 “ stored into the oe Eeuten 


All arithmetic instructions (except sivide) ‘a allow the source Boon to be an inimediate 
value. When the destination is the EAX or AL register, the instruction encoding is one 
byte shorter than with the other general registers. : | | | 
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2.5.2 Register Operands 


Operands may be located in one of the 32-bit general registers (EAX, EBX, ECX, EDX, 
ESI, EDI, ESP, or EBP), in one of the 16-bit general registers (AX, BX, CX, DX, SI, 
DI, SP, or BP), or in one of the 8-bit general registers (AH, BH, CH, DH, AL, BL, Cl 
or DL). 


The Intel486 processor has instructions for referencing the segment registers (CS, DS, 
ES, SS, FS, and GS). These instructions are used by application programs only if system 
designers have chosen a segmented memory model. 


The. Intel486 processor also has instructions for changing the state of individual flags in 
the EFLAGS register. Instructions have been provided for setting and clearing flags 
which often need to be accessed. The other flags, which are not accessed so often, can be 
changed by pushing the contents of the EFLAGS register on the stack, ae changes 
to it while it’s on the stack, and popping it back into the register. © 7 


2.5.3 Memory Operands 


Instructions with explicit operands in memory must reference the segment containing 
the operand and the offset from the beginning of the segment to the operand. Segments 
are specified using a segment- -override prefix, which. is a byte placed at the beginning of 
an instruction. If no segment is specified, simple rules alien the Seement pe nae The 
offset is specified in one of the following ways: | | 


1. Most instructions which access memory contain a byte for specifying the addressing 
method of the operand. The byte, called the modR/M byte, comes after the opcode 
and specifies whether the operand is in a register or in memory. If the operand is in 
memory, the address is calculated from a segment register and any of the following 
values: a base register, an index register, a scaling factor, and a displacement. When 
an index register is used, the modR/M byte also is followed by another byte to 
specify the index oer and scaling factor. ans form of addressing is me most 
flexible. 


2. A few instructions use implied address modes: | 


~A MOV instruction with the AL or EAX register as either source or destination can 
address memory with a doubleword encoded in the instruction. This special form of 
the MOV instruction allows no base register, index register, or scaling factor to be 
used. This form is one byte shorter than the general-purpose form. 


String operations address memory in the DS segment using the ESI register, (the 
~MOVS, CMPS, OUTS, and LODS instructions) or using the ES segment and EDI 
register (the MOVS, CMPS, INS, SCAS, and STOS instructions). 


Stack operations address memory in the SS segment using the ESP register (the 
PUSH, POP, PUSHA, PUSHAD, POPA, POPAD, PUSHF, PUSHFD, POPF, 
POPFD, CALL, LEAVE, RET, IRET, and ee instructions, aoe and 
interrupts). | 
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2.5.3.1 SEGMENT SELECTION 


Explicit specification of a segment is optional. If a segment is not specified using a 
segment-override prefix, the processor automatically chooses a segment according to the 
rules of Table 2-3. (If a flat model of memory organization is used, the rules for selecting 
segments are not apparent to application programs.) -- 


Different kinds of memory access have different default segments. Data operands usu- 
ally use the main data segment (the DS segment). However, the ESP and EBP registers 
are used for addressing the stack, so when either register is used, the stack segment (the 
SS segment) is selected. 


Segment- -override prefixes are provided for each of the segment registers. Only the fol- 
lowing special cases have a default segment selection which is not affected by a segment- 
override prefix: bg 


° Destination strings in ein instructions use the ES segment 
e Destination of a push or source of a pop uses the SS segment 


e Instruction fetches use the CS segment 


2.5.3.2 EFFECTIVE-ADDRESS COMPUTATION 


The modR/M byte provides the most flexible form of addressing. Instructions which have 
a modR/M byte after the opcode are the most common in the instruction set. For mem- 
ory operands specified by a modR/M Dyle, the offset within the selected segment is the 
sum of three components: 


e A displacement 
© A base register 


e An index register (the index register may be multipied ne a factor i 2, 4, or 8) 
| Table : 2-3. Default Segment Selection Rules 


Segment Used — : | 
Type of Reference Register Used . : Default Selection Rule 


- Instructions Code Segment Automatic with instruction fetch. 
| | | CS register | | . | 


Stack Segment All stack pushes and pops. Any mem- 


SS register _ory reference which uses ESP or EBP 
| as a base register. 
Local Data Data Segment All data references except when rela- 
. oes. DS register | ___ tive to stack or string destination. 
Destination Strings _ E-Space Segment Destination of string instructions. 


ES register 
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The offset which results from adding these components is called an effective address. 
Each of these components may have either a positive or negative value. Figure 2-10 
illustrates the full set of possibilities for modR/M addressing. 


The displacement component, because it is encoded in the instruction, is useful for 
relative addressing by fixed amounts, such as: 

e Location of simple scalar operands. 

e Beginning of a statically allocated array. 

e Offset to a field within a record. 

The base and index components have similar functions. Both use the same set of general 


registers. Both can be used for addressing which changes during program execution, 
such as: 


e Location of procedure parameters and local variables on the stack. 


e The beginning of one record among several occurrences of the same record type or in 
an array of records. 


e The beginning of one dimension of multiple dimension array. 

e The beginning of a dynamically allocated array. 

The uses of general registers as Base or index components differ in the following 
respects: 

e The ESP register cannot be used as an index register. 

e When the ESP or EBP register is used as the base, the SS segment is the default 


selection. In all other cases, the DS segment is the default selection. 


The scaling factor permits efficient indexing into an array when the array elements are 2, 
4, or 8 bytes. The scaling of the index register is done in hardware at the time the 
address is evaluated. This eliminates an extra shift or multiply instruction. 


‘SEGMENT + BASE + (INDEX * SCALE) + DISPLACEMENT 


NO DISPLACEMENT 
+< 8-BIT DISPLACEMENT 
32-BIT DISPLACEMENT 


uz 
2 
4 
8 
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Figure 2-10. Effective Address Computation 
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The base, index, and displacement components may be used in any combination; any of 
these components may be null. A scale factor can be used only when an index also is 
used. Each possible combination is useful for data structures commonly used by pro- 
grammers in high-level languages and assembly language. Suggested uses for some com- 
binations of address components are described below. : 


DISPLACEMENT 


The displacement alone indicates the offset of the operand. This form of addressing is 
used to access a statically allocated scalar eperene: A byte, word, or doubleword dis- 
placement can be used. . 


BASE» 


The offset to the spetada is specified indirectly in one of the Beners peer as for 
“based” variables. s : Se, chibi te ee ale 


BASE + DISPLACEMENT | 


A register and a displacement can be used together for two distinct purposes: 


1. Index into static array when the element size is not 2, 4, or 8 bytes. The displace- 

ment component encodes the offset of the beginning of the array. The register holds 

_ the results of a calculation to determine the offset toa specific element within the 
array. 


2. Access a field of a record. The base register holds the address of the beginning of 
the record, while the a aaa is an offset to the field. 


An nOHane specu case of this combiiaton is access to eare os in a procedure 
activation record. A procedure activation record is the stack frame created when a sub- 
routine is entered. In this case, the EBP register is the best choice for the base.register, 
because it automatically selects the stack segment. This is a compact encoding for this 
common function. : | . 


(INDEX # SCALE) + DISPLACEMENT 


This combination is an efficient way to index into a static array when the element size is 
2, 4, or 8 bytes. The displacement addresses the beginning of the array, the index register 
holds the subscript of the desired array element, and the processor automaucany con- 
verts the a into an Index zeny applying the scaling factor. 


| BASE + INDEX 2 DISPLACEMENT 


Two registers asa seater support either a two-dimensional array (the displacement’ 
holds the address of the beginning of the array) or one of several instances of an array of: 
records (the displacement is an offset to a field within the record). 
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BASE + (INDEX * SCALE) + DISPLACEMENT 


This combination provides efficient indexing of a two-dimensional array when the ele- 
ments of the array are 2, 4, or 8 bytes in size. 


2.6 INTERRUPTS AND EXCEPTIONS 


The Intel486 processor has two mechanisms for interrupting program execution: 


1. Exceptions are synchronous events which are responses of the processor to certain 
conditions detected during the execution of an instruction. 


2. Interrupts are asynchronous events typically triggered by external devices needing 
attention. 


Interrupts and exceptions are alike in that both cause the processor to temporarily sus- 
pend the program being run in order to run a program of higher priority. The major 
distinction between these two kinds of interrupts is their origin. An exception is always 
reproducible by re-executing the program which caused the exception, while an meee 
can have a meee timing- dependent relationship with programs. 


Application programmers normally are not concerned with handling exceptions or inter- 
rupts. The operating system, monitor, or device driver handles them. More information 
on interrupts for system programmers may be found in Chapter 9. Certain kinds of 
exceptions, however, are relevant to application programming, and many operating sys- 
tems give application programs the opportunity to service these exceptions. However, 
the operating system defines the interface between the application program and the 
exception mechanism of the. Intel486 Peek Table 2-4 lists the interrupts and 
exceptions. 


e A divide-error exception results when the DIV or IDIV instruction is executed with a 
zero denominator or when the quotient is too large for the destination operand. (See 
Chapter 3 for more information on the DIV and IDIV instructions.) 


e A debug exception may be sent back to an application program if it results from the 
TF (trap) flag. | 7 

eo A breakpoint exception results when an INT3 instruction is executed. This instruction 
is used by some debuggers to stop program execution at specific points. 


e An overflow exception results when the INTO instruction is executed and the OF 
(overflow) flag is set. See Chapter 3 for a discussion of the INTO instruction. 


e A bounds-check exception results when the BOUND instruction is executed with an 
array index which falls outside the bounds of the array. See Chapter 3 for a discussion 
of the BOUND instruction. : 7 


© The device-not-available exception occurs whenever the processor encounters an 
escape instruction and either the TS (task switched) or the EM ae coprocessor) 
bit of the CRO control register is set. 
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Table 2-4. Exceptions:and Interrupts = 


daa 3 ee Description... - 
Number -_ oe a "pa ee Ln 


Divide Error 
Debugger Call 
NMI Interrupt °°” 
Breakpoint 
INTO-detected Overflow... 
BOUND Range Exceeded —. 
Invalid Opcode 
Device Not Available 8° 
Double Fault. 


(Intel reserved. Do not use. 
Not used by Intel486™ CPU.) 


Invalid Task State Segment 
Segment Not Present. | 
Stack Exception 
General Protection |. 
Page Fault. 
(Intel reserved. Do not igen 
. Floating-Point: a 
Alignment Check’ . 
(Intel reserved. Do' not ces 
nae Maskable terrupts es 


0 
1 
2 
3 
5 
6 
7 
8. 
9g 


0 si oa Sk 2S el ek eek ae 
NO oO fh WO NM — O 


e An alignment-check exception is generated for unaligned memory operations: in user 
mode (privilege level 3), provided both AM and AC are set. Memory operations. at 
supervisor mode (privilege levels 0, 1, and 2), or memory operations which default to 
Supervisor mode, do not generate this exception. | 


The INT instruction generates an interrupt whenever it is executed; the processor treats 
this interrupt as an exception. Its effects (and the effects of,all other exceptions) are 
determined by exception handler routines in the application program .or the operating 
system. The INT instruction itself is eiecussed 1 in na Dte? 3. hae uae 2 a0F a more 
complete Cesar of i a | A : PE Se eet 


Exceptions caused by segmentation andit paging are -Haailed 1 differently than interrupts. 
Normally, the contents of the program counter. (EIP register) ate saved on the stack 
when an exception or interrupt is generated. But exceptions resulting from segmentation 
and paging restore the contents of some processor registers to their. state. before interpre- 
tation of the instruction began. The saved contents of the program counter: address the 
instruction which caused the exception, rather than the instruction after it. This lets the 
operating system fix the exception- generating condition and restart the program which 
"generated the exception. This mechanism i Is peomprctey transparent t to the program. 4 
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| CHAPTER 3 
APPLICATION PROGRAMMING 


This chapter is an overview of the integer instructions which programmers can use to 
write application software for the Intel486 processor. The instructions are grouped by 
categories of related functions. (Additional application instructions for operating on 
floating-point operands are described in Part III.) 


The instructions not discussed in this chapter or Part III normally are used only by 
operating-system programmers. Part II describes these system-level instructions. 


These instruction descriptions are for the Intel486 processor in protected mode. The. 
instruction set in this mode is a 32-bit superset of the instruction set used in Intel 16-bit 
processors. In real-address mode or virtual-8086 mode, the Intel486 processor appears to 
have the architecture of a fast, enhanced 8086 processor with instruction set extensions. 
See Chapters 21, 22, 23, 24 and 25 for more information about running the 16-bit 
instruction set. All of the instructions described in this chapter are aa in all 
modes. . 


The instruction set descriptions in Chapter 26 contain more detailed information on all 
instructions, including encoding, operation, timing, effect on flags, and exceptions which 
may be generated. 


3.1 DATA MOVEMENT INSTRUCTIONS 


These instructions provide convenient methods for moving bytes, words, or doublewords 
between memory and the processor registers. They come in three types: 


1. General-purpose data movement instructions. 
2. Stack manipulation instructions. 


3. Type-conversion instructions. 


3.1.1 General-Purpose Data Movement Instructions 


MOV (Move) transfers a byte, word, or doubleword from the source operand to the 
destination operand. The MOV instruction is useful for transferring data along any of 
these paths: 


e Toa register from memory. 
e To memory from a register. 
e Between general registers. 

e Immediate data to a register. 


© Immediate data to memory. 
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The MOV instruction cannot move from memory to memory or from a segment register 
to a segment register. Memory-to-memory moves can be performed, however, by the 
string move instruction MOVS. A special form of the MOV instruction is provided for 
transferring data between the AL or EAX registers and a location in memory specified 
by a 32-bit offset encoded in the instruction. This form of the instruction does not allow 
a segment override, index register, or scaling factor to be used. The encoding of this 
form is one byte shorter than the encoding of the general-purpose MOV instruction. A 
similar encoding is provided for moving an 8-, 16-, or 32-bit immediately into any of the 
ye eae , 


XCHG (Exchange) swaps the contents of two operands: This instruction takes the siaee 
of three MOV instructions. It does not require a temporary location to save the contents 
of one operand while the other is being loaded. The .XCHG instruction is especially 
useful for po peorenune: semaphores or . similar data structures for process 
synchronization. Fo “ : | | 


The XCHG instruction can swap two byte operands, two word operands, or two double- 
word operands. The operands for the XCHG instruction may be two register operands, | 
or a register operand and a memory operand. When used with a memory operand, 
XCHG automatically activates the aie De Agee Chapter 13 for more information 
on bus oe | _ 7 


3.1.2 Stack Manipulation Instructions 


PUSH (Push) decrements the stack pointer (ESP register), then copies the source oper- 
and to the top of stack (see Figure 3-1). The PUSH instruction often is used to place 
parameters on the stack before calling a procedure. Inside a procedure, it can be used to 
reserve apace on the stack for Ss a vananies: The PUSH instruction operates on 


r 


BEFORE PUSHING DOUBLEWORD AFTER PUSHING DOUBLEWORD 


_ DOUBLEWORD a” & 
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Figure 3-1. PUSH Instruction 
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memory operands, immediate operands, and register operands (including segment regis- 
ters). A special form of the PUSH instruction is available for pushing a 32-bit general 
register on the stack. This form has an encoding which is one byte shorter than the 
general-purpose form. 


PUSHA (Push All Registers) saves the contents of the eight general registers on the 
stack (see Figure 3-2). This instruction simplifies procedure calls by reducing the number 
of instructions required to save the contents of the general registers. The processor 
pushes the general registers on the stack in the following order: EAX, ECX, EDX, EBX, 
the initial value of ESP before EAX was pushed, EBP, ESI, and EDI. The effect of the 
PUSHA instruction is reversed using the POPA instruction. 


POP (Pop) transfers the word or doubleword at the current top of stack (indicated by 
the ESP register) to the destination operand, and then increments the ESP register to 
point to the new top of stack. See Figure 3-3. POP moves information from the stack to 
a general register, segment register, or to memory. A special form of the POP instruction 
is available for popping a doubleword from the stack to a general register. This form has 
an encoding which is one byte shorter than the general-purpose form. 


BEFORE PUSHA INSTRUCTION AFTER PUSHA INSTRUCTION ~ 
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Figure 3-2. PUSHA Instruction 
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__ AFTER POPPING A DOUBLEWORD 


DOUBLEWORD : 
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Figure 3-3. POP Instruction 


POPA (Pop All Registers) pops the data saved on the stack by PUSHA into the general 
registers, except for the ESP register. The ESP register is restored by the action of 
reading the stack (popping). See Figure 3-4. 


3. 1.3 Bad Conversion Instructions 


The type conversion instructions convert bytes into words, words into soublewords and 
doublewords into 64-bit quantities (called quadwords). These instructions are especially 
useful for converting signed integers, because they automatically fill the extra bits of the . 
larger item with the value of the sign bit of the smaller item. This results in an integer of 
the ‘same sign and magnitude, but a larger format. This kind of conversion, shown in 
Figure 3- oy is called sign extension. = | 


There are two kinds of type conversion instructions: 


e The CWD, cba, CBW, and CWDE instructions which only operate on data in 1 the 
EAX register. 


e The MOVSX and MOVZX instructions, which permit one operand to be ina sai 
| eet while letting the other operand be in memoty or a register. 


CWD (Convert Word to Doubleword) and CDQ (Convert Doubleword to Quad-Word) 
double the size of the source operand. The CWD instruction copies the sign (bit 15) of 
the word in the AX register into every bit position in the DX register. The CDQ instruc- 
tion copies the sign (bit 31) of the doubleword in the EAX register into every bit posi- 
tion in the EDX register. The CWD instruction can be used to produce a doubleword — 
dividend from a word before a word division, and the CDQ instruction.can. be used to 
produce a quadword dividend from a.doubleword before doubleword division. 
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BEFORE POPA INSTRUCTION AFTER POPA INSTRUCTION 


240486i3-4 


Figure 3-4. POPA Instruction 


0 


15 | - 
BEFORE SIGN 
EXTENSION «CT 


0 


AFTER SIGN 
EXTENSION 
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Figure 3-5. Sign Extension 
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CBW (Convert Byte to Word) copies the sign (bit 7). of the byte in the AL register into 
a bit position in the AX register. 


CWDE (Convert Word to Doubleword Extended) copies the sign (bit 15) of the word iH 
the AX register into every bit position in the EAX register. 


MOVSX (Move with Sign Extension) extends an 8-bit value to a 16- bit value or an 8- or 
16- bit value: to 32-bit value by using the value of the sign to fill empty positions. : 


MOVZX (Move with Zero Extension) extends an 8- bit value to a 16-bit value or an-8- or 
=; bit value to 32-bit value by clearing the omEty bit F POSttions. a 7 | 


32 BINARY ARITHMETIC INSTRUCTIONS _ ae 


The arithmetic instructions of the Intel486 processor operate on numeric data encoded 
in binary. Operations include the add, subtract, multiply, and divide as well as incre- 
ment, decrement, compare, and change sign (negate). Both signed and unsigned binary 
integers are supported. The binary arithmetic instructions may also be used as steps in 
arithmetic on decimal integers. Source operands can be immediate values, general reg- 
isters, Or memory. Destination operands can be general registers or memory (except 
when the source operand is in memory). The basic arithmetic instructions have special 
forms for using an immediate value as the source operand and the AL or EAX registers 
as the destination operand. pueee forms are one byte shorter than the general- Durpese 
aamneee instructions. : 


The arithmetic instructions update the ZF, CF, SF, an OF flags to report the Gad of 
result which was produced. The kind of instruction used to test the flags depends on 
whether the data is being interpreted as signed or unsigned. The CF flag contains infor- 
- mation relevant to. unsigned integers; the SF and OF flags contain information. relevant 
to signed integers. The ZF flag is relevant to both signed and unsigned integers; the ZF 
nee is set when all bits of the result are clear. 


Asithnietie: instructions spetats on 8. 16-, or 39. it data. The flags < are updated: to 
reflect the size of the operation. For example, an 8-bit ADD instruction sets the CF flag 
if the sum Ole the ROperanes S exceeds 255, (decimal). | 


if the integet is aaaened, the CF flag may be tested after one of these arithmetic oper- 

ations to determine whether the operation: required a carry or borrow to be propagated 
to the next stage of the operation. The CF flag is set if a carry occurs (addition instruc- 
tions ADD, ADC, AAA, and DAA) or borrow occurs ee instructions SUB, 
SBB, AAS, Pe; CMP, and ee a | 


The INC aad DEC instructions Af not ieee ie. state of the CF - flag, This allows the 
instructions to be used to update counters used for loop control without changing the 
reported state of arithmetic results. To test the arithmetic state of the counter, the ZF. 
flag can be tested to detect loop termination, or the ADD and SUB instructions « can be: 
used to update the value held by the counter. 
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The SF and OF flags support signed integer arithmetic. The SF flag has the value of the 
sign bit of the result. The most significant bit (MSB) of the magnitude of a signed 
integer is the bit next to the sign — —bit 6 of a byte, bit 14 of a word, or bit 30 2: a 
doubleword. The OF flag is set in either of these cases: 


o A carry was generated from the MSB into the sign bit but no carry was s generated out 
of the sign bit (addition instructions ADD, ADC, INC, AAA, and DAA). In other 
words, the result was greater than the greatest positive number which could be rep- 
resented in two’s complement form. 


e A carry was generated from the sign bit into the MSB but no carry was generated into 
the sign bit (subtraction instructions SUB, SBB, DEC, AAS, DAS, CMP, and NEG). 
In other words, the result was smaller than the smallest negative number which could 
be represented :in two" S mn en rat if 


These status flags are tested by either kind of conditional instruction: Jcc Gump on 
eonmuon cc) or SETcc (byte set on Beate | 7 


3.2.1 Addition and Subtraction inewuetioné 


ADD (Add Integers) replaces the destination operand: with the sum of the source and 
destination operands. The OF, SF, ZF, AF, PF, and CF flags are affected. 


ADC (Add Integers with Carry) replaces the destination operand with the sum of the 
source and destination operands, plus 1 if the CF flag is set. If the CF flag is clear, the 
ADC instruction performs the same operation as the ADD instruction. An ADC instruc- 
tion is used to propagate carry when adding numbers in stages, for example when using 
32-bit ADD instructions to sum mquacwore operands: The OF, SF, ZF, AF, PF, ate CF 
flags are affected. am 


INC (Increment) adds 1 to the destination operand. The INC instruction preserves the 
state of the CF flag. This allows the use of INC instructions to update counters in loops 
without disturbing the status flags resulting from an arithmetic operation used for loop 
control. The ZF flag can be used to detect when carry would have occurred. Use an 
ADD instruction with an immediate value of 1 to perform an increment which updates | 
the CF flag. A one-byte form of this instruction is available when the operand is a 
general register. The OF, SF, ZF, AF, and PF flags are affected. 


SUB (Subtract Integers) subtracts the source operand from the destination operand and 
replaces the destination operand with the result. If a borrow is required, the CF flag is 
set. The operands may be signed or unsigned ss words, or doublewords. The OF, SF, 
ZF, AF, PF, and CF flags are affected. | | 


SSBB (Subtract Integers with Borrow) subtracts the source operand from the destination 
operand and replaces the destination operand with the result, minus 1 if the CF flag is 
set. If the CF flag is clear, the SBB instruction performs the same operation as the SUB 
instruction. An SBB instruction is used to propagate borrow when subtracting numbers 
in stages, for example when using 32-bit SUB instructions to subtract one: quadword 
operand from another. The OF, SF; ZF, AF, PF, and CF flags are affected. 
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DEC (Decrement) subtracts 1 from the destination operand..The DEC instruction pre- 
serves the state of the CF flag. This allows the use of the DEC instruction to update 
counters in loops without disturbing the status flags resulting from an arithmetic opera- 
tion used for loop control. Use a SUB instruction with an immediate value of 1 to 
perform a decrement which updates the CF flag. A one-byte form of this instruction is 
available when the operand is a general register. The OF, SF, ZF, AF, and PF flags are 
affected. 


3. 2. 2 Comparison and mae Change Instruction 


CMP (Compare) subtracts the source Secrand from the destination operand. It eernre 
the OF, SF, ZF, AF, PF, and CF flags, but does not modify the source or destination 
eperanes: A subsequent Jec or SETcc instruction can test the wee 


NEG (Negate) subtracts a signed integer operand from zero. The effect of the NEG 
instruction is to change the sign of a two’s complement operand while keeping its mag- 
nitude. The OF, SF, ZF, AF, PF, ae CF ee are affected. 


3.2.3 Multiplication Instructions 


The Intel486 processor has separate multiply instructions for unsigned and signed oper- 
ands. The MUL instruction operates on unsigned integers, while the IMUL instruction 
operate on vec’ integers as well as ae x: ba BH A 


MUL (nsioned. Integer Multiply) performs an “unsigned mmiltiplication. of the source 
operand and the AL, AX, or EAX register. If the source is a byte, the. processor multi- 
plies it by the value held in the AL register and returns the double-length result in the 
AH and AL registers. If the source operand is a word, the processor multiplies it by the 
value held in the AX register and returns the double-length result in the DX and AX 
registers. If the source operand is a doubleword, the processor multiplies it by the value 
held in the EAX register and returns the quadword result in the EDX and EAX regis- 
ters. The MUL instruction sets the CF and OF flags when the upper half of the result is 
non-zero; otherwise, the flags are cleared. The state of the SF, ZF, AF, and PF flags is 
undefined. | | . 


IMUL (Signed Integer Multiply) performs a signed multiplication operation The IMUL 
instruction has three forms: 


1.. A one- operand form. The operand 1 may be a byte, Sore or doubleword located in 
_. memory or in a general register. This instruction uses the EAX:and EDX registers 
_as implicit operands in the same way as the MUL instruction. | 


2. A two-operand form. One of the source operands is in a general register while the 
other may be in a general register or memory. The result replaces the general- 
24 _Tegister operand. | | | 


3. A three-operand form: two are source eens and one is the destination. One of 
_ the source operands is an immediate value supplied by the instruction; the second 
may be in memory or in a general register. The result is stored in a general register. 
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The immediate operand is a two’s complement signed integer. If the immediate 
operand is a byte, the processor automatically sign-extends it to the size of the 
second operand before performing the multiplication. 


The three forms are similar in most respects: 
e The length of the product is calculated to twice the length of the operands. 


e The CF and OF flags are set when significant bits are carried into the upper half of 

- the result. The CF and OF flags are cleared when the upper half of the result is the 
sign-extension of the lower half. The state of the SF, ZF, AF, and PF flags is 
undefined. 


However, forms 2 and 3 differ because the product is truncated to the length of the 
operands before it is stored in the destination register. Because of this truncation, the 
OF flag should be tested to ensure that no significant bits are lost. (For ways to test the 
OF flag, see the JO, INTO, and PUSHF instructions.) | 


Forms 2 and 3 of IMUL also may be used with unsigned operands because, whether the 
operands are signed or unsigned, the lower half of the product is the same. The CF and 
OF flags, however, cannot be used to determine if the upper half.of the result is 
non-zero. | 


3.2.4 Division Instructions 


The Intel486 processor has separate division instructions for unsigned and signed oper- 
ands. The DIV instruction operates on unsigned integers, while the IDIV instruction 
operates on both signed and unsigned integers. In either case, a divide-error exception is 
generated if the divisor is zero or if the quotient is too large for the AL, AX, or EAX 
register. 


DIV (Unsigned Integer Divide) performs an unsigned division -of the AL, AX, or EAX 
register by the source operand. The dividend (the accumulator) is twice the size of the 
divisor (the source operand); the quotient and remainder have the same Size as the 
divisor, as shown in Table 3-1. : 


Non-integral results are truncated toward 0. The remainder is always smaller than the 
divisor. For unsigned byte division, the largest quotient is 255. For unsigned word divi- 
sion, the largest quotient is 65,535. For unsigned doubleword division the largest quo- 
tient is 2°"—1. The state of the OF, SF; ZF, AF, PF, and CF flags is undefined. 


Table 3-1. Operands for Division 


Operand Size Dividend Quotient Remainder 
(Divisor) 


Byte — AX register | | AL register AH register 
Word DX and AX We AX register DX register — 
Doubleword © EDX and EAX | EAX register EDX register 
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IDIV (Signed Integer Divide) performs a signed division of the accumulator by the 
source operand. The IDIV instruction uses the same registers as the DIV instruction. 


For signed byte division, the maximum positive quotient is.+127, and the minimum 
negative quotient is —128. For signed word division, the maximum positive quotient is 
+ 32,767, and the minimum negative quotient is —32,768. For. signed doubleword divi- 
sion the maximum positive quotient is 2°*—1, the minimum negative quotient is —2°?. 
- Non-integral results are truncated towards 0. The remainder always has the same sign as 

the dividend and is less than the divisor in magnitude. The state of the OF, SF, ZF, AF, 
PF, and CF flags is undefined. 3 


3.3 DECIMAL ARITHMETIC INSTRUCTIONS 


Decimal arithmetic is performed by combining the binary arithmetic instructions 
(already discussed in the prior section) with the decimal arithmetic instructions. The 
decimal arithmetic instructions are used in one of the following ways: 


e To adjust the results of a previous. binary arithmetic operation to produce a valid 
packed or unpacked decimal result. | 


e To adjust the inputs to a subsequent binary arithmetic operation so that the operation 
will produce a valid packed or unpacked. decimal result. These instructions operate 
only on the AL or AH registers. Most use the AF flag. 


3.3.1 Packed BCD Adjustment Instructions 


DAA (Decimal Adjust after Addition) adjusts the result of padee two valid Sasa dec- 
imal operands in the AL register. A DAA instruction must follow the addition of two 
pairs of packed decimal numbers (one digit in each half-byte) to obtain a pair of valid 
packed decimal digits as results. The CF flag is set if a carry occurs. The SF, ZF, AF, PF, 
and CF flags are affected. The state of the OF flag i is undefined. 


DAS (Decimal Adjust after Subtraction) adjusts the result of subtracting two valid 
packed decimal operands in the AL register. A DAS instruction must always follow the 
Subtraction of one pair of packed decimal numbers (one digit in each half-byte) from 
another to obtain a pair of valid packed decimal digits as results. The CF flag is set if a 
borrow is needed. The SF, ZF, AF, PF, and CF pai are affected. The state of the OF 
flag is undefined. 


3.3.2 Unpacked BCD Adjustment Instructions 


AAA (ASCII Adjust after Addition) changes the contents of the AL repens to a valid 
unpacked decimal number, and clears the upper 4 bits. An AAA instruction must follow 
the addition of two unpacked decimal operands in the AL register. The CF flag is set 
and the contents of the AH register are incremented if a carry occurs. The AF and CF 
flags are affected. The state of the OF, SF, ZF, and PF flags is undefined. 
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AAS (ASCII Adjust after Subtraction) changes the contents of the AL register to a valid 
unpacked decimal number, and clears the upper 4 bits. An AAS instruction must follow 
the subtraction of one unpacked decimal operand from another in the AL register. The 
_ CF flag is set and the contents of the AH register are decremented if a borrow is 
needed. The AF and CF flags are affected. The state of the OF, SF, ZF, and PF flags is 
undefined. 


AAM (ASCII Adjust after Multiplication) corrects the result of a multiplication of two 
valid unpacked decimal numbers. An AAM instruction must follow the multiplication of 
two decimal numbers to produce a valid decimal result. The upper digit is left in the AH 
register, the lower digit in the AL register. The SF, ZF, and PF flags are affected. The 
state of the AF, OF, and CF flags is undefined. 


AAD (ASCII Adjust before Division) modifies the numerator in the AH and AL registers 
to prepare for the division of two valid unpacked decimal operands, so that the quotient 
produced by the division will be a valid unpacked decimal number. The AH register 
should contain the upper digit and the AL register should contain the lower digit. This 
instruction adjusts the value and places the result in the AL register. The AH register 
will be clear. The SF, ZF, and PF flags are affected. The state of the AF, OF, and CE 
flags is undefined. | 


3.4 LOGICAL INSTRUCTIONS 


The logical instructions have two operands. Source operands can be immediate values, 
general registers, or memory. Destination operands can be general registers or memory 
(except when the source operand is in memory). The logical instructions modify the state 
of the flags. Short forms of the instructions are available when an immediate source 
operand is applied to a destination operand 1 in the AL or EAX registers. The group of 
logical instructions includes: | 


e Boolean operation instructions. 
e Bit test and modify instructions. 
e Bit scan instructions. 

e Rotate and shift instructions. 


e Byte set on condition. 


3.4.1 Boolean Operation Instructions 
The logical operations are performed by the AND, OR, XOR, and NOT instructions. 


NOT (Not) inverts the bits in the specified operand to form a one’s complement of the 
operand. The NOT instruction is a unary operation which uses a single operand in a 
register or memory. NOT has no effect on the flags. 
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The AND, OR, and XOR instructions perform the standard logical operations “and,” 


or,’ and “exclusive or.” These instructions can use the following combinations of 
operands: : 1 | Bs | 


°. Two renisten operands. 
e A general register operand with a memory operand. 


e An epee ene lu with one a deruer register eperand ora hme ynOry ne: 


The AND, OR, and XOR instructions clear the OF and CF flags, leave the AF flag 
undefined, and update the SF, ZF, and PF flags. 


3.4.2 Bit Test ered Mocity aure 


This eroup of instructions operates on a single bit which can be in memory or ina 
general register. The location of the bit is specified as an offset from the low end of the 
operand. The value of the offset either may be given by an immediate byte in the instruc- 
tion or may be contained in a general register. 


These instructions first assign the value of the selected bit to the CF flag.’ Then a new 
value is assigned to the selected bit, as determined by the operation. The state of the 
OF, SF, ZF, AF, and PF tee is undefined. Table 3-2 defines these instructions. 


“Table 3-2. Bit Test and Modify Instructions 


es Effect on CF Flag : Effect on Selected Bit | 


BT (Bit Test) CF flag <— Selected Bit no effect. 

BTS (Bit Test and Set). CF flag < Selected Bit Selected Bit <— 1 

BTR (Bit Test and Reset) CF flag < Selected Bit | Selected Bit <0 

BTC (Bit Test and Complement). CF flag < Selected Bit Selected Bit <— — (Selected Bit) 


3.4.3 Bit Scan Instructions 


These instructions scan a word or doubleword for a set bit and store the bit index (an 


integer representing the bit position) of the first set bit into a register. The bit string — 


being scanned may be in a register or in memory. The ZF flag is set if the entire word is 
clear, otherwise the ZF flag is cleared. In the former case, the value of the destination 
register is left undefined. The state of the OF, SF, AF, PF, and CF flags is undefined. 


BSF (Bit Scan Forward) scans low-to-high (from bit 0 toward the upper bit positions). 
BSR (Bit Scan Reverse) scans high-to-low (from the uppermost bit toward bit 0). oy 
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3.4.4 Shift and Rotate Instructions 
The shift and rotate instructions rearrange the bits within an operand. 


These instructions fall into the following classes: 
e Shift instructions. | 
e Double shift instructions. 


e Rotate instructions. 


3.4.4.1 SHIFT INSTRUCTIONS 


Shift instructions apply an arithmetic or logical shift to bytes, words, and doublewords. 
An arithmetic shift right copies the sign bit into empty bit positions on the upper end of 
the operand, while a logical shift right fills high order empty bit positions with zeros. An 
arithmetic shift is a fast way to perform a simple calculation. For example, an arithmetic 
shift right by one bit position divides an integer by two. A. logical shift right divides an 
unsigned et or a positive integer, but a signed negative integer loses its sign bit. 


| The arithmetic and logical shift right instructions, SAR and SHR, differ only in their 
treatment of the bit positions emptied by shifting the contents of the operand. Note that 
there is no difference between an arithmetic shift left and a logical shift left. Two names, 
SAL and SHL, are supported for this instruction in the assembler. 


A count specifies the number of bit positions to shift an operand. Bits can be shifted up 
to 31 places. A shift instruction can give the count in any of three ways. One form of shift 
instruction always shifts by one bit position. The second form gives the count as an 
immediate operand. The third form gives the count as the value contained in the CL 
register. This last form allows the count to be a result from | a eon Only the mi 
five bits of the CL register are used. 7 


When the number of bit positions to shift is zero, no flags are affected. Otherwise, the 
CF flag is left with the value of the last bit shifted out of the operand. In a single-bit 
shift, the OF flag is set if the value of the uppermost bit (sign bit) was changed by the 
operation. Otherwise, the OF flag is cleared. After a shift of more than one bit position, 
the state of the OF flag i is undefined. On a shift of one or more bit positions, the SF, ZF, 
PF, and CF flags are affected, and the state of the AF flag is undefined. 


SAL (Shift Arithmetic Left) shifts the destination byte, word, or doubleword operand left 
by one bit position or by the number of bits specified in the count operand (an immedi- 
ate value or a value contained i in the CL register). Empty bit positions are cleared. See 
Figure 3-6. 


SHL (Shift Logical rey is another name for the SAL instruction. It is annbenee) in the 
assermier | 
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INITIAL STATE: . sath Mee ae ae 
CF OPERAND- 
[x] 10001000100010001000100010001111 


AFTER 1-BIT SHL/SAL INSTRUCTION: 


a 00010001000100010001000100011110 |* 


AFTER 10-BIT SHL/SAL INSTRUCTION: 


oe ere ee ae ie 7 240486i9-6 | 

"Figure 3- 6. “SHLSAL instruction 
SHR (Shift Logical Right) shifts the destination ie word, or doubleword operand right 
by one bit’ position or: by the number of bits. specified i in the count operand (an immedi- 


ate value or a value contained i in ae oe ‘ register). Empty bit po ous are oe See 
Figitre’ 3-7, 


SAR (Shift Arithmetic Right) shifts fie desinaien co word: or deubiewar ar 
to the right by.one:bit position or:by the: number of bits specified in the count operand 
(an immediate value or a value contained in the CL register). The sign of the operand is 
preserved by clearing empty bit positions if the oe is Pesuee or oe the oe 
bits if. ae operand ‘1S ecuasan Nee HIBUFC:: = 8. ae | 


en though this instruction can be used to divide itesers bi an een power or two, 
the type of division is not the same as that produced by the IDIV instruction. The 
quotient from the IDIV instruction is rounded toward zero, whereas the “quotient” of 
the SAR instruction is rounded toward negative infinity. This difference is apparent only 
for negative numbers. For example, when the IDIV instruction is used to divide —9 by 4, 
the result is —2 with a remainder of —1. If the SAR instruction is used to shift —9 right 
by. two bits, the résult is. —3, The “remainder” of this kind of division is + 13; however, 
the SAR instruction. stores only, the: high- -order bit of the remainder (in the CF flag). 


3.4.4.2 DOUBLE-SHIFT INSTRUCTIONS 


These instructions provide the basic operations néeded to implement operations on long 
unaligned bit strings. The double shifts operate either on word or doubleword papers: 
as follows: 


e. Take two word operands and produce a one-word result (32- -bit shift). 
e Take two doubleword operands and produce a doubleword result (64-bit shift). 
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INITIAL STATE: 
OPERAND 


10001000100010001000100010001111 


AFTER 1-BIT SHR INSTRUCTION: 


AFTER 10-BIT SHR INSTRUCTION: 


o= 00000000001000100010001000100010 


240486i3-7 


Figure 3-7. SHR Instruction | 


INITIAL STATE (POSITIVE OPERAND): 
OPERAND 


01000100010001000100010001000111 


AFTER 1-BIT SAR INSTRUCTION: 


i 00100010001000100010001000100011 


INITIAL STATE (NEGATIVE OPERAND): 
OPERAND 


110001000100010001000100010000111 


AFTER 1-BIT SAR INSTRUCTION 


11100010001000100010001000100011 


240486i3-8 


Figure 3-8. SAR Instruction. 
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Of the two operands, the source operand must be in a register while the destination 
operand may be in a register or in memory. The number of bits to be shifted is specified 
either in the CL register or in an immediate byte in the instruction. Bits shifted out of 
the source operand fill empty bit positions in the destination operand, which also is 
shifted. Only the destination operand is stored. . | 


When the number of bit positions to shift is zero, no flags are affected. Otherwise, the 
CF flag is set to the value of the last bit shifted out of the destination operand, and the 
SF, ZF, and PF flags are affected. On a shift of one bit position, the OF flag is set if the 
sign of the operand changed, otherwise it is cleared. For shifts of more than one bit 
position, the state of the OF flag is undefined. For shifts of one or more bit positions, 
the state of AF flag is undefined. 


SHLD (Shift Left Double) shifts bits of the destination operand to the left, while filling 
empty bit positions with bits shifted out of the source operand (see Figure 3-9). The 
result is stored back into the destination operand. The source operand is not modified. 


SHRD (Shift Right Double) shifts bits of the destination operand to the right, while 
filling empty bit positions with bits shifted out of the source operand (see Figure 3-10). 
The result is stored back into the destination operand. The source operand is not 
modified. | 


3.4.4.3 ROTATE INSTRUCTIONS 


Rotate instructions apply a circular permutation to bytes, words, and doublewords. Bits 
rotated out of one end of an operand enter through the other end. Unlike a shift, no bits 
are emptied during a rotation. 


34 wis ; 0 


Ga ; DESTINATION (MEMORY OR REGISTER) . 


31 | per ek eee ee 4 


SOURCE (REGISTER) 


'240486i3-9 


Figure 3-9. SHLD Instruction 


3-16 


intel i APPLICATION PROGRAMMING 


31 | 0 


SOURCE (REGISTER) 


31 | 0 


DESTINATION (MEMORY OR REGISTER) ; | cF 


240486i3-10 


Figure 3-10. SHRD Instruction 


Rotate instructions use only the CF and OF flags. The CF flag may act as an extension 
of the operand in two of the rotate instructions, allowing a bit to be isolated and then | 
tested by a conditional jump instruction (JC or JNC). The CF flag always contains the 
value of the last bit rotated out of the operand, even if the instruction does not use the 
CF flag as an extension of the operand. The state of the SF, ZF, AF, and PF flags is not 
affected. 


In a single-bit rotation, the OF flag is set if the operation changes the uppermost bit 
(sign bit) of the destination operand. If the sign bit retains its original value, the OF flag 
is cleared. After a rotate of more than one bit position, the value of the OF flag is 
undefined. : 


ROL (Rotate Left) rotates the byte, word, or doubleword destination operand left by one 
bit position or by the number of bits specified in the count operand (an immediate value 
or a value contained in the CL register). For each bit position of the rotation, the bit 
which exits from the left of the operand returns at the right. See Figure 3-11. 


ROR (Rotate Right) rotates the byte, word, or doubleword destination operand right by 
one bit position or by the number of bits specified in the count operand (an immediate 
value or a value contained in the CL register). For each bit position of the rotation, the 
bit which exits from the right of the operand returns at the left. See Figure 3-12. 


RCL (Rotate Through Carry Left) rotates bits in the byte, word, or doubleword destina- 
tion operand left by one bit position or by the number of bits specified in the count 
operand (an immediate value or a value contained in the CL register). 


This instruction differs from ROL in that it treats the CF flag as a one-bit extension on 
the upper end of the destination operand. Each bit which exits from the left side of the 
operand moves into the CF flag. At the same time, the bit in the CF flag enters the right — 
side. See Figure 3-13. 


intel ® APPLICATION PROGRAMMING 


, 31 | __0 
DESTINATION (MEMORY OR REGISTER) 


~ 240486i3-11 


Figure 3-11. ROL Instruction 


240486i3-12 


Figure. 3-12. ROR Instruction 


DESTINATICN (MEMORY OR REGISTER) 


240486i3-13 


- Figure 3-13. RCL Instruction 


RCR (Rotate Through Carry Right) rotates bits in the byte, word, or doubleword desti- 
nation operand right by one bit position or by the number of bits specified in the count 
operand (an immediate value or a value contained in the CL register). 


This instruction differs from ROR in that it treats CF as a‘one-bit extension on the lower 
end of the destination operand. Each bit which exits from the right side of the operand 
- moves into the CF flag. At the same time, the bit in the CF flag enters the. ae side. ee | 
Figure 3-14. | | 
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DESTINATION (MEMORY OR REGISTER) 


24048613-14 


Figure 3-14. RCR Instruction 


3.4.4.4 FAST “bit bit” USING DOUBLE-SHIFT INSTRUCTIONS 


One purpose of the double shift instructions is to implement a bit string move, with 
arbitrary misalignment of the bit strings. This is called a “bit blt” (BIT BLock Transfer). 
A simple example is to move a bit string from an arbitrary offset into a doubleword- 
aligned byte string. A left-to-right string is moved 32 bits at a time if a double shift is 
used inside the move loop. | | 


MOV ESI,ScrAddr 

MOV EDI,DestAddr 

MOV EBX,WordCnt | 

MOV CL,Rellffset ; relative offset Dest-Src 


MOV EDX, CEST] ; load first word of source 
ADD  ESI,4 ; bump source address 
BltLoop: | | 
LODS ; new low order part in EAX 
SHLD EDX,EAX,CL  -3 EDX overwritten with aligned stuff 
XCHG EDX,EAX ; Swap high and low words 
STOS ; Write out next aligned chunk 


DEC EBX 
JNZ BltLoop 


Decrement loop count 


~e 


This loop is simple, yet allows the data to be moved in 32-bit chunks for the highest 
possible performance. Without a double shift, the best which can be achieved is 16 bits 
per loop iteration by using a 32-bit shift, and replacing the XCHG instruction with a 
ROR instruction by 16 to swap the high and low words of registers. A more general loop 
than shown above would require some extra masking on the first doubleword moved 
(before the main loop), and on the last doubleword moved (after the main loop), but 
would have the same 32-bits per loop iteration as the code above. | 
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3.4.4.5 FAST BIT STRING INSERT AND EXTRACT 


The double shift instructions also make possible: 


e Fast insertion of a bit string from a register into an arbitrary bit location in a larger 
bit string in memory, without disturbing the bits on either side of the inserted bits 


e Fast extraction of a bit string into a register from an arbitrary bit location in a larger 
bit string in memory, without disturbing the bits on either side of the extracted bits — 


The following coded examples illustrate bit insertion and extraction under various 
conditions: 


1. Bit String Insertion into Memory (when the bit string is 1-25 bits long, i.e.,-spans 
four bytes or less): 


; Insert a right-justified bit string from a register into 
s a bit string in memory: | 

Assumptions: . 

; Ll. The base of the ee array is isubieword aianeu: 

; 2- The length of the bit string is an immediate value 

; and the bit offset is held in a page 


~we 


The. ESI register holds ‘the right justified bit string 

; to be inserted. 

; The EDI register holds the bit offset at ‘the start of the 
; substring: 

; The EAX register and ECX are also used. 


MOV ECX,EDI | ; Save original offset 


SHR EDI,3 ; divide offset by & (byte addr) 

AND CL,7?H ; get low three bits of offset 

MOV EAX, CEDIIstrg_base — 3; move string dword into EAX 
ROR EAX,CL s right justify old bit field 

SHRD EAX,ESI,length : bring in new bits 

ROL EAX,length ; right justify new bit field 

ROL EAX,CL © : bring to final position 

MOV {EDIIstrg_base,EAX  —_‘; replace doubleword in memory 


2. Bit String Insertion into Memory (when the bit SHINE is 1-31 bits long, L.e., spans five 
bytes or less): 


; Insert a right-justified bit string from a register into 
; a bit Spreng in memory: 


ods Assumptions: : 

3 1. The base of the string array is ieupieears mitgned, 
; 2. The length of. the bit string is an immediate value 
; ane the bit offset is held ina Seg eeer 


3 The EST sagieten hod ‘the right justified & bit rainy 
; to be inserted. 
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; The EDI register holds the bit offset ot the start of the 
; substring: 
; The EAX, EBX, ECX, and EDI registers also are used. 


MOV ECX,EDI ; temp storage for offset 


SHR EDI,5 ; divide offset by 32 (dwords) 
SHL EDI,¢ ; multiply by 4 (byte address) 
AND CL,1FH ; get low five bits of offset 
MOV EAX,CEDIJstrg_base ; move low string dword into EAX 
MOV EDX, CEDIIJstrg_baset+4 s other string dword into EDX 
MOV EBX,EAX ~ ; temp storage for part of string 
SHRD EAX,EDX,CL ; shift by offset within dword 
SHRD EAX,EBX,CL _ ; shift by offset within dword 
SHRD EAX,ESI, length ; bring in new bits 

ROL  EAX,length ; right justify new bit field 
MOV EBX,EAX | ; temp storage for string 

SHLD EAX,EDX,CL ; shift by offset within word 
SHLD EDX,EBX,CL ; shift by offset within word 
MOV CEDIIJstrg_base,EAX s; replace dword in memory 


MOV CEDIIJstrg_base+4 ,EDX ; replace dword in memory 


3. Bit String Insertion into Memory (when the bit string is exactly 32 bits long, 1 
spans four or five bytes): 


; Insert right-justified bit string from a register into 
; a bit string in memory. 


; Assumptions: 

; 1. The base of the string array is doubleword aligned. 
; ¢. The length of the bit string is 32 bits 

; and the bit offset is held in a register. 


; The ESI register holds the 32-bit string to be inserted. 

; The EDI register holds the bit offset to the start of the 
; substring: : 
; The EAX, EBX, ECX, and EDI registers also are used- 


MOV EDX,EDI ; Save original offset 

SHR EDI,S ; divide offset by Je (dwords) 
SHL EDI,2 | ; multiply by 4 (byte address) 
AND CL,1FH ; isolate low five bits of offset 
MOV EAX,CEDTIstrg_base ; move low string dword into EAX 
MOV EDX,CEDIIstrg_baset4 s other string dword into EDX 

MOV EBX,EAX ; temp storage for part of string 
SHRD EAX,EDX s shift by offset within dword 
SHRD EDX,EBX | ; shift by offset within dword 
MOV = EAX,EST ; move Je-bit field into position 
MOV EBX,EAX ; temp storage for part of string 
SHLD EAX,EDX y shift by offset within word 
SHLD EDX, EBX | ; shift by offset within word 
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MOV {CEDIJstrg_base,EAX ° 3; replace dword in memory 
MOV CEDIIJstrg_base,+4,EDX 3; replace dword in memory 


4, Bit String Extraction from Memory (when the bit string is 1- 25 bits Tong, ie., Spans 
four bytes or less): | 


y . a 
ee ’ D 


; Extract a right- justified bit string - nice. a register from 
sa bit SECENy in memory: mo, 


; Assumptions: ea ego ate 

; 1) The base of the strings array is doubleuord: aligned. . 
; 2) The length of.the bit. string-is an immediate value 
; ° and the bit offset .is held ie te ae 


; The EAX register hare "the aahts justifies, zero- agadaed aoe 
+ bit string that was extracted. 7 

; The EDI register holds Ene bit offset. a the start of the 

; substring. . : 

; The EDI, and ECX seuistdne Dies are: nee 


HOV ECX,EDI “temp ee (ane offset™. 

SHR  EDI,3 ; divide offset by & layer ccdnae 
AND . CL,?H Tice Mat, «3 get low three bits of offset . 
nov EAX, [EDIIstrg_ base ss move string dword into EAX. 

SHR = EAX, CL ; shift by offset within fuera . 
AND EAX,mask ss extracted bit field in EAX 


5. Bit String Extraction from Memory woe? bit string is ie 32 bits long, i.e. , spans five 
bytes or less): : 


; Extract a right-justified bit string into a ee from a 
; bit string in memory. : 


; Assumptions: 

; 1) The base of the string array’ is doubleword aligned. 
; 2) The length of the-bit ‘string is'an immediate: © 

; value and the bit offset held ie ee 


; The EAX register holds the Pah justitied, zero- padded 

* bit string that was extracted. Le 

; The EDI register holds ne bit oft set et the. ree of the 
; substring: 

; The EAX, EBX, and. ECK registers also are “used. 


HOV ECX,EDI — s Penaye’ for offset: 


~we 


SHR EDI,5 os oe dividevoffset by 32 (dwords) 
SHL EDI,e Ss cmultiply by 4 (byte address) 
AND CL,1FH hae > get low five bits of offset in 
MOV EAX,CEDIJstrg-base = ~~} move low:string ‘dword into EAX 


MOV EAX,CEDIIJstrgcbase +4 3 other string dword-into EDX 
SHRD EAX,EDX,CL oo. Vs shift right by:offset in dword 
AND  EAX,mask extracted bit field in EAX 


~ 


~e 
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3.4.5 Byler -Set-On- Condition Instructions 


This ; sroup ee raeerictions sets a — to the: value of : Zero OF one, depending on any ie 
the 16 conditions defined by the status flags. The byte may be in a register or in memory. 
These instructions are especially useful for implementing Boolean a in high- 
level eno WAEE such as Pascal. ) | : ? 


Some inneuanes represent a Reel one as an integer with all bits set. This can be done 
by using the SETcc instruction wen the mutually exclusive condition, then erctemenine 
the result. sae —_ - 


SETcc (Set Byte on. Condition cc) loads the value 1 into a byte if condition cc is true; 
clears the byte otherwise. See Appendix D for a definition of the possible conditions. 


3.4.6 Test Instruction 


TEST (Test) performs: the logical “‘and’”’ of the two operands, clears the.OF and CF 
flags, leaves the AF flag undefined, and updates the SF, ZF, and PF flags. The flags can 
be tested by conditional control transfer instructions or the byte-set-on-condition 
instructions. The operands may be bytes, words, or doublewords. 


The difference between the TEST and AND instructions is the TEST instruction does 
not alter the destination operand. The difference between the TEST-and BT instructions 
is the TEST instruction can test the value of multiple) bits t in one > operation, while Ee aaa 
instruction tests a single bit. a ; 


3.5 eee TRANSFER INSTRUCTIONS —— 


The Intel486 processor. provides both conditional and. unconditional control transfer 
instructions to direct the flow of execution. Conditional transfers are executed only for 
certain combinations of the state of the flags. Unconditional control transfers are always 
executed. 


3. 5. 1 ‘Unconditional Transtar Instructions 


The JMP, CALL, RET, INT and IRET instructions ansteta execution to a aesinallon 
in a code segment. The destination can be within the same code segment (near transfer) 
or in a different code segment (far transfer). The forms of these instructions which 
transfer execution to other segments are discussed in a later section of this chapter. If 
the model of memory organization used in a particular application does not make seg- 
ments visible to application programmers, far transfers will not be used. | 


3.5.1.1 JUMP INSTRUCTION 


JMP jump) dhcondittonally iratse rs execution to the nee acon The Jj MP TAseuction 
is a one-way transfer of execution; it does not:save a return address on the stack.. .- . 


3-23 


intel 3 APPLICATION PROGRAMMING 


The JMP instruction transfers execution from the current routine to a different routine. 
The address of the routine is specified in the instruction, in a register, or in memory. The 
location of the address determines whether it is interpreted as a relative address or an 
absolute address. 5, a - 


Relative Address. A ciate’ jump uses a displacement (immediate made constant wed 
for address calculation) held in the instruction. The displacement is signed and variable- 
length (byte or doubleword). The destination address is formed by adding the displace- 
ment to the address held in the EIP register. The EIP register then contains the address 
of the next instruction to be executed. 


Absolute Address. An absolute j samp 1S used wie a 32-bit Wee ement offset in either of the 
following ways: — 


1. The program can jump to an address in a general register. This 32- bit value is ee 
into the EIP register and execution continues. , 


2. The destination address can be a memory operand specified using the standard 
- addressing modes. The u Gperane is copied into the EIP register and execution 
continues. | . 3 


3.5.1.2 CALL INSTRUCTIONS © 


CALL (Call Procedure). transfers execution aad: saves the address of the instruction 
following the CALL instruction for later use by a RET (Return) instruction. CALL 
pushes the current contents of the EIP register on the stack. The RET instruction in the 
called procedure uses this address to transfer execution back to the calling program. 


CALL instructions, like JMP instructions, have relative and absolute forms. 


Indirect CALL instructions specify an absolute address in one of the following ways: 


fa The | program can jump to an address i ina general register. This 32-bit value is copied 
into the EIP register, the return address is pushed on the stack, and execution 
continues. 


2. The destination address can be a memory operand specified using the standard 
addressing modes. The operand is copied into the EJP register, the return address is 
pusace on the stack, and execution continues. 


3.5.1.3 RETURN AND RETURN- FROM- INTERRUPT INSTRUCTIONS 


RET (Return From Procedure) terminates a procedure and transfers execution to the 
instruction following the CALL instruction which originally invoked the procedure. The 
RET instruction restores the contents of the EIP register which were pushed on the 
stack when the procedure was called. 


The RET instructions have an optional immediate sei When present, ‘this constant 


is added to the contents of the ESP register, which has the effect of ene ay 
parameters pusneas on the stack before the procedure call.. . | , 
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IRET (Return From Interrupt) returns control to an interrupted procedure. The IRET 
instruction differs from the RET instruction in that it also restores the EFLAGS register 
from the stack. The contents of the EFLAGS register are stored on the stack when an 
interrupt occurs. 


3.5.2 Conditional Transfer Instructions 


The conditional transfer instructions are jumps which transfer execution if the states in 
the EFLAGS register match conditions specified in the instruction. | 


3.5.2.1 CONDITIONAL JUMP INSTRUCTIONS 


Table 3-3 shows the mnemonics for the jump instructions. The instructions listed as pairs 
are alternate names for the same instruction. The assembler provides these names for 
greater clarity in program listings. 


A fan of the conditional jump instructions is avaiable which uses a displacement added 
to the contents of the EIP register if the specified condition is true. The displacement 
may be a byte or doubleword. The displacement is signed: it can ‘De used to jump for- 
ward or backward. 


Table 3-3. Conditional Jump Instructions 


Unsigned Conditional Jumps 


Mnemonic - . Flag States 7S Description | 
JA/JNBE (CF or ZF)=0 | above/not below nor equal 
JAE/JNB _ CF=0 , above or equal/not below 
JB/JNAE  CF=1 | below/not above nor equal 
JBE/JNA (CF or ZF) =1 below or equal/not above 
JC | CF=1 Carry 

JE/JZ ZF=1 equal/zero 

JNC CF=0 | not carry 

JNE/JNZ ZF=0 not equal/not zero. 
JNP/JPO PF=0 not parity/parity odd 
JP/JPE PF=1 parity/parity even 


Signed Conditional Jumps 


JG/JNLE ~  ((SF xor OF) or ZF) =O | greater/not less nor equal 
JGE/JNL mt (SF xor OF) =0 , greater or equal/not less 
JL/JNGE (SF xor OF) = 1 _less/not greater nor equal 
JLEJING __ ((SF xor OF) or ZF) =1 less or equal/not greater 
OF=0 | not overflow | 
SF=0 | _ | not sign (non-negative) 
OF=1 7 overflow — 
SF=1_ ~ sign (negative) 
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3.5.2.2 LOOP INSTRUCTIONS 


The loop instructions are conditional jumps which use a value placed in the ECX regis- 
ter as a count for the number of times to run a loop. All loop instructions decrement the 
contents of the ECX register on each reposition and terminate when zero is reached. 
Four of the five loop instructions accept the ZF flag as a condition for terminating the 
loop before the count reaches zero. 7 


LOOP (Loop While ECX Not Zero) is a conditional jump instruction which decrements | 
the contents of the ECX register before testing for the loop-terminating condition. If 
contents of the ECX register are non-zero, the program jumps to the destination speci- 
fied in the instruction. The LOOP instruction causes the execution of a block of code to 
be repeated until the count reaches zero. When zero is reached, execution is transferred 
to the instruction immediately following the LOOP instruction. If the value in the ECX 
register is zero when the instruction is first called, the count is pre-decremented to 
OFFFFFFFFH and the LOOP runs 2” times. 


LOOPE (Loop While Equal) and LOOPZ (Loop While Zero) are synonyms for the same 
instruction. These instructions are conditional jumps which decrement the contents of 
the ECX register before testing for the loop- -terminating condition. If the contents of the 
ECX register are non-zero and the ZF flag i is set, the program jumps to the destination 
specified in the instruction. When zero is reached or the ZF flag is clear, execution is 
transferred to the instruction immediately following the LOOPE/LOOPZ instruction. 


LOOPNE (Loop While Not Equal) and LOOPNZ (Loop While Not Zero) are synonyms 
for the same instruction. These instructions are conditional jumps which decrement the 
contents of the ECX register before testing for the loop-terminating condition. If the 
contents of the ECX register are non-zero and the ZF flag is clear, the program jumps to 
the destination specified in the instruction. When zero is reached or the ZF flag is set, 

execution is transferred to the instruction immediately following the LOOPE/LOOPZ, 
instruction. ) | 


3.5.2.3 EXECUTING A LOOP OR REPEAT ZERO TIMES 


JECXZ (Jump if ECX Zero) jumps to the destination specified in the instruction if the 
ECX register holds a value of zero. The JECXZ instruction is used in combination with 
the LOOP instruction and with the string scan and compare instructions. Because these 
instructions decrement the contents of the ECX register before testing for zero, a loop 
will run 2° times if the loop is entered with a zero value in the ECX register. The 
JECXZ instruction is used to create loops which fall through without executing when the 
initial value is zero. A JECXZ instruction at the beginning of a loop can be used to jump 
out of the loop if the count is zero. When used with repeated string scan and compare 
instructions, the JECXZ instruction can determine whether the loop terminated due to 
the count or due to satisfaction of the scan or compare conditions. 
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3.5.3 Software Interrupts 


The INT, INTO, and BOUND instructions allow the programmer to specify a transfer of 
execution to an exception or interrupt handler. 


INTn (Software Interrupt) calls the handler specified by an interrupt vector encoded in 
the instruction. The INT instruction may specify any interrupt type. This instruction is 
used to support multiple types of software interrupts or to test the operation of interrupt 
service routines. The interrupt service routine terminates with an IRET instruction, 
which returns execution to the instruction following the INT instruction. 


INTO (Interrupt on Overflow) calls the handler for the overflow exception, if the OF 
flag is set. If the flag is clear, execution continues without calling the handler. The OF 
flag is set by arithmetic, logical, and string instructions. This instruction supports the use 
of software interrupts for handling error conditions, such as arithmetic overflow. 


BOUND (Detect Value Out of Range) compares the signed value held in a general reg- 
ister against an upper and lower limit. The handler for the bounds-check exception is 
called if the value held in the register is less than the lower bound or greater than the 
upper bound. This instruction supports the use of software interrupts for bounds check- 
ing, such as checking an array index to make sure it falls within the range defined for the 
array. | | 


The BOUND instruction has two operands. The first operand specifies the general reg- 
ister being tested. The second operand is the base address of two words or doublewords 
at adjacent locations in memory. The lower limit is the word or doubleword with the 
lower address; the upper limit has the higher address. The BOUND instruction assumes 
that the upper limit and lower limit are in adjacent memory locations. These limit values 
cannot be register operands; if they are, an invalid-opcode exception occurs. 


The upper and lower limits of an array can reside just before the array itself. This puts 
the array bounds at a constant offset from the beginning of the array. Because the 
address of the array already will be present in a register, this practice avoids extra bus 
cycles to obtain the effective address of the array bounds. 


3.6 STRING OPERATIONS 


String operations manipulate large data structures in memory, such as alphanumeric 
character strings. See also the section on J/O for information about the string I/O 
instructions (also known as block I/O instructions). 
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The string operations are made by putting string instructions (which execute only one 
iteration of an operation) together with other features of the instruction set, such as 
repeat prefixes. The string instructions are: 


MOVS — Move String 
CMPS — Compare string 
SCAS — Scan string 
LODS — Load string 
STOS — mtOre string 


After a string instruction executes, the re source and destination registers point to 
the next elements in their strings. These registers automatically increment or decrement 
their contents by the number of bytes occupied by each string element. A string element 
can be a byte, word, or doubleword. The string registers are: 


ESI—Source index register _ 
EDI — Destination index register 


String operations can begin at higher addresses and work toward lower ones, or they can 
begin at lower addresses and work toward higher ones. The direction is controlled by: 


DF — Direction flag 


If the DF flag i is clear, the registers are incremented. If the flag i is set, the registers are 
decremented. These instructions set and clear the flag: 


_STD—Set direction flag instruction 
CLD — Clear direction flag instruction 


To. operate on more than one element of a string, a repeat pes must be used, such as: 


REP — Repeat while the ECX register not Zero 
REPE/REPZ — Repeat while the ECX register not zero and the ZF flag i is set et 
REPNE/REPNZ -— Repeat while the ECX register not zero and the ZF flag is clear 


Exceptions or interrupts which occur during a string instruction leave the registers in a 
state which allows the string instruction. to be restarted. The source and destination 
registers point to the next string elements, the EIP register points to the string instruc- 
tion, and the ECX register has the value it held following the last successful iteration. 
All that is necessary to restart the operation is to service the interrupt or fix the source 
of the exception, then execute an IRET instruction. 


3.6.1 Repeat Prefixes 
The repeat prefixes REP (Repeat While ECX Not Zero), REPE/REPZ (Repeat While 
Equal/Zero), and REPNE/REPNZ (Repeat While Not Equal/Not Zero) specify repeated 


operation of a string instruction: This form of iteration allows string Oper auomen to PEO: 
ceed much faster than would be. possible with a software loop. | 
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When a string instruction has a repeat prefix, the operation executes until one of the 
termination conditions specified by the prefix is satisfied. 


For each repetition of the instruction, the string operation may be suspended by an 
exception or interrupt. After the exception or interrupt has been serviced, the string 
operation can restart where it left off. This mechanism allows long string operations to 
proceed without affecting the interrupt response time of the system. 


All three prefixes shown in Table 3-4 cause the instruction to repeat until the ECX 
register is decremented to zero, if no other termination condition is satisfied. The repeat 
prefixes differ in their other termination condition. The REP prefix has no other termi- 
nation condition. The REPE/REPZ and REPNE/REPNZ prefixes are used exclusively 
with the SCAS (Scan String) and CMPS (Compare String) instructions. The REPE/: 
REPZ prefix terminates if the ZF flag is clear. The REPNE/REPNZ prefix terminates if 
the ZF flag is set. The ZF flag does not require initialization before execution of a 
repeated string instruction, because both the SCAS and CMPS instructions affect the ZF 
flag according to the results of the comparisons they make. 


3.6.2 Indexing and Direction Flag Control 


Although the general registers are completely interchangeable under most conditions, 
the string instructions require the use of two specific registers. The source and destina- 
tion strings are in memory addressed by the ESI and EDI registers. The ESI register 
points to source operands. By default, the ESI register is used with the DS segment 
register. A segment-override prefix allows the ESI register to be used with the CS, SS, 
ES, FS, or GS segment registers. The EDI register points to destination operands. It 
uses the segment indicated by the ES segment register; no segment override is allowed. 
The use of two different segment registers in one instruction perms operations between 
strings in different segments. 


When ESI and EDI are used in string instructions, they automatically are incremented 
or decremented after each iteration. String operations can begin at higher addresses and 
work toward lower ones, or they can begin at lower addresses and work toward higher 
ones. The direction is controlled by the DF flag. If the flag is clear, the registers are 
incremented. If the flag is set, the registers are decremented. The STD and CLD 
instructions set and clear this flag. Programmers should always put a known value in the © 
DF flag before using a string instruction. 


Table 3-4. Repeat Instructions 


Repeat Prefix Termination Condition 1 | Termination Condition 2 


REP 7 
REPE/REPZ 
REPNE/REPNZ 
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3.6.3 String Instructions 


MOVS (Move String) moves the string element addressed by the ESI register to the 
location addressed by the EDI register. The MOVSB instruction moves bytes, the 
MOVSW instruction moves words, and the MOVSD instruction moves doublewords. 
The MOVS instruction, when accompanied by the REP prefix, operates as a memory- 
to-memory block transfer. To set up this operation, the program must initialize the ECX, 
ESI, and EDI registers. The ECX register specifies the number of elements in the block. 


CMPS (Compare Strings) subtracts the destination string element from the source string 
element and updates the AF, SF, PF, CF and OF flags. Neither string element is written 
back to memory. If the string elements are equal, the ZF flag is set; otherwise, it is 
cleared. CMPSB compares — ‘CMPSW compares words, and CMPSD ste ali 
doublewords. a 


SCAS (Scan String) subtracts the evasion string element from the EAX, AX, or AL 
register (depending on operand length) and updates the AF, SF, ZF, PF, CF and OF 
flags. The string and the register are not modified. If the values are equal, the ZF flag is 
set; otherwise, it is cleared. ‘The SCASB instruction scans bytes; the SCASW instruction 
scans words; the SCASD instruction scans doublewords. 


- When the REPE/REPZ or REPNE/REPNZ. aiete sialic: either the SCAS or CMPS 
instructions, the loop which is formed is terminated by the evoors counter or r the effect the 
as or CMPS instruction _ on the ZF es 7 | 


LODS (Load String) slates thes source string element addressed by the ESI register into 
the EAX register for doubleword strings, into the AX. register for word Strings, or into 
the AL register for byte strings. This instruction usually is used in a loop, where other 
instructions ‘process each element of the string as they appear in i the register. . | 


STOS (Store String) places the source string element front the BAX, AX, or AL register 
into the string addressed by the EDI register. This instruction usually is used in a loop, 
where it writes to memory the result of processing a string element read from memory 
with the LODS instruction. A aad STOS instruction » is the. rastest a to initialize a 
ee block of memory. ! 


3.7 panacea BLOCK-STRUCTURED LANGUAGES 


These instructions provide machine-language support for implementing block-structured 
languages, such as C and Pascal. They include ENTER and LEAVE, which simplify 
procedure entry and exit in compiler-generated code. as support a structure of point- 
ers and, local variables on ie oa called a aes antes feo | 


ENTER (Enter Procedure) creates a stack frame compatible with the scope. rules of 
block-structured languages. In these languages, a procedure has access to its own vari- 
ables and some number of other variables defined elsewhere in the program. The scope 
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of a procedure is the set of variables to which it has access. The rules for scope vary 
among languages; they may be based on the nesting of procedures, the division of the 
program into separately-compiled files, or some other modularization scheme. 


The ENTER instruction has two operands. The first specifies the number of bytes to be 
reserved on the stack for dynamic storage in the procedure being entered. Dynamic 
storage is the memory allocated for variables created when the procedure is called, also 
known as automatic variables. The second parameter is the lexical nesting level (from 0 
to 31) of the procedure. The nesting level is the depth of a procedure in the hierarchy of 
a block-structured program. The lexical level has no particular relationship to either the 
protection privilege level or to the I/O privilege level. 3 


The lexical nesting level determines the number of stack frame pointers to copy into the 
new stack frame from the preceding frame. A stack frame pointer is a doubleword used 
to access the variables of a procedure. The set of stack frame pointers used by a proce- 
dure to access the variables of other procedures is called the display. The first double-. 
word in the display is a pointer to the previous stack frame. This pointer is used by a 
LEAVE instruction to undo the effect of an ENTER instruction by discarding the cur- 
rent stack frame. 


Example: ENTER cO48,3 


Allocates 2K bytes of dynamic storage on the stack and sets up pointers to two 
_ previous stack frames in the stack frame for this procedure. , | 


After the ENTER instruction creates the display for a procedure, it allocates the 
dynamic (automatic) local variables for the procedure by decrementing the contents of 
the ESP register by the number of bytes specified in the first parameter. This new value 
in the ESP register serves as the initial top-of-stack for all PUSH and POP operauons 
within the procedure. | n we 


To allow a procedure to address its display, the ENTER instruction leaves the EBP 
register pointing to the first doubleword in the display. Because stacks grow down, this is 
actually the doubleword with the highest address in the display. Data manipulation 
instructions which specify the EBP register as a base register automatically aaaress 
locations within the stack segment instead of the data onc 


The ENTER instruction can be used in two ways: nested and non-nested. If the lexical 
level is 0, the non-nested form is used. The non-nested form pushes the contents of the 
EBP register on the stack, copies the contents of the ESP register into the EBP register, 
and subtracts the first operand from the contents of the ESP register to allocate dynamic 
storage. The non-nested form differs from the nested form in that no stack frame point- 
ers are copied. The nested form of the ENTER instruction occurs when the second 
parameter (lexical level) is not zero. | 


Figure 3-15 shows the formal definition of the ENTER instruction. STORAGE is the 


number of bytes of dynamic lOnees to allocate for: local vanavles; and LEVEL is the 
lexical nesting level. | | 


3-31 


intal ; APPLICATION PROGRAMMING 


Push EBP 
Set a temporary value FRAME_PTR : = =ESP — 
If LEVEL 0 then | | 
Repeat LEVEL — 1) times: 
EBP :=EBP -—4 


Push the doubleword pointed to by EBP 
End repeat 
Push FRAME__PTR: 


End if 
EBP :=FRAME_PTR | 
ESP :=ESP-STORAGE ~ 


Figure 3-15. Formal Definition of the ENTER Instruction 


The main procedure (in which all other procedures are nested) operates at the highest 
lexical level, level 1. The first procedure it calls operates at the next deeper lexical level, 
level 2. A level 2 procedure can access the variables of the main program, which are at 
fixed locations specified by the compiler. In the case of level 1, the ENTER instruction 
allocates only the requested dynamic storage on the stack because there is no previous 

display to copy. | 


A procedure which calls another procedure at a lower lexical level gives the called pro- 
cedure access to the variables of the caller. The ENTER instruction provides this access 
by placing a pointer to the calling procedure’s stack frame in the display. © 


A procedure which calls another procedure at the same lexical level should not give 
access to its variables. In this case, the ENTER instruction copies only that part of the 
display from the calling procedure which refers to previously nested procedures operat- 


. Ing at higher lexical levels. The new stack frame does not include the pointer for. 


addressing the calling procedure’s stack frame. 


The ENTER instruction treats a re-entrant procedure as a call to a procedure at the 
same lexical level. In this case, each succeeding iteration of the re-entrant procedure can 
address only its own variables and the variables of the procedures within which it is 
nested. A re-entrant procedure always can address its own variables; it does not require 
pointers to the stack frames of previous iterations. 


By copying only the stack frame pointers of procedures at higher lexical levels, the 
ENTER instruction makes certain that procedures access only those variables of higher 
lexical levels, not those at parallel lexical levels (see Figure 3-16). . 
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MAIN (LEXICAL LEVEL 1) 


PROCEDURE A (LEXICAL LEVEL 2) 


PROCEDURE B (LEXICAL LEVEL 3) 


PROCEDURE C (LEXICAL LEVEL 3) 


PROCEDURE D (LEXICAL LEVEL 4) 
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Figure 3-16. Nested Procedures 


Block-structured languages can use the lexical levels defined by ENTER to control 
access to the variables of nested procedures. In the figure, for example, if PROCE- 
DURE A calls PROCEDURE B which, in turn, calls PROCEDURE C, then PROCE- 
DURE Cwill have access to the variables of MAIN and PROCEDURE A, but not those 
of PROCEDURE B because they are at the same lexical level. The following definition 
describes the access to variables for the nested procedures in the figure. 


1. MAIN has variables at fixed locations. 
2. PROCEDURE A can access only the variables of MAIN. 


3. PROCEDURE B can access only the variables of PROCEDURE A ae MAIN. 
_ PROCEDURE B cannot access the variables of PROCEDURE C or PROCE- 
DURE D. 


4. PROCEDURE C can access only the variables of PROCEDURE A and MAIN. 
~ PROCEDURE C cannot access the variables of PROCEDURE B or PROCE- 
DURE D. | 


5. PROCEDURE D can access the variables of PROCEDURE C, PROCEDURE A, 
-and MAIN. PROCEDURE D cannot access the variables of PROCEDURE B. | 


In the following diagram, an ENTER instruction at the beginning of the MAIN program 
creates three doublewords of dynamic storage for MAIN, but copies no pointers from 
other stack frames (See Figure 3-17). The first doubleword in the display holds a copy of 
the last value in the EBP register before the ENTER instruction was executed. The 
second doubleword (which, because stacks grow down, is stored at a lower address) 
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EBP 
DISPLAY ea 
MAIN’S EBP 
E 
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Figure 3-17. Stack Frame After Entering MAIN 


holds a copy of the contents of the EBP register following the ENTER instruction. After | 
the instruction is executed, the EBP register points to the first doubleword pushed on 
the stack, and the ESP register points to the last doubleword in the stack frame. 


When MAIN calls PROCEDURE A, the ENTER instruction creates a new display (see 
Figure 3-18). The first doubleword is the last value held in MAIN’s EBP register. The 
second doubleword is a pointer to MAIN’s stack frame which is copied from the second 
doubleword in MAIN’s display. This happens to be another copy of the last value held in 
MAIN’s EBP register. PROCEDURE A can access variables in MAIN because MAIN 
is at level 1. Therefore the base address for the dynamic storage used in MAIN is the 
current address in the EBP register, plus four bytes to account for the saved contents of 
MAIN’s EBP register. All dynamic variables for MAIN are at fixed, positive offsets from 
this value. 


When PROCEDURE A calls PROCEDURE B, the ENTER instruction creates a new 
display (See Figure 3-19). The first doubleword holds a copy of the last value in PRO- 
CEDURE A’s EBP register. The second and third doublewords are copies of the two 
stack frame pointers in PROCEDURE A’s display. PROCEDURE B can access vari- 
ables in PROCEDURE A and MAIN by using the stack frame pointers in its display. 


When PROCEDURE B calls PROCEDURE C, the ENTER instruction creates a new — 
display for PROCEDURE C (See Figure 3-20). The first doubleword holds a copy of the 
last value in PROCEDURE B’s EBP register. This is used by the LEAVE instruction to 
restore PROCEDURE B’s stack frame. The second and third doublewords are copies of 
the two stack frame pointers in PROCEDURE A’s display. If PROCEDURE C were at 
the next deeper lexical level from PROCEDURE B, a fourth doubleword would be 
copied, which would be the stack frame pointer to PROCEDURE B’s local variables. 
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OLD EBP 
MAIN’S EBP 


MAIN’S EBP 


DISPLAY MAIN’S EBP | 
PROCEDURE A’S EBP 


DYNAMIC 
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Figure 3-18. Stack Frame After Entering PROCEDURE A 


OLD EBP . 


_ MAIN’S EBP 


. MAIN’S EBP 


MAIN’S EBP 
PROCEDURE A’S EBP 


PROCEDURE A’S EBP 
MAIN’S EBP 


EBP 


DISPLAY 
PROCEDURE A’S EBP 
| PROCEDURE B’S EBP 
DYNAMIC. 
STORAGE 


ESP 
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Figure 3-19. Stack Frame After Entering PROCEDURE B 
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OLD EBP 
MAIN’S EBP 


| MAIN’S EBP 
-  MAIN’S EBP 
PROCEDURE A’S EBP : 
- PROCEDURE A’S EBP > 
7 - . MAIN’S EBP : 
PROCEDURE A’S EBP | 
_. PROCEDURE B’S EBPs, 
| : PROCEDURE B’S EBP , 
DISPLAY | ..MAIN’S EBP _. 
-... PROCEDURE A’S EBP.- 
| PROCEDURE C’SEBP 


DYNAMIC 
STORAGE 
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Figure 3-20. Stack Frame After Entering PROCEDURE C 


Note that PROCEDURE B and PROCEDURE C are at the same level, so PROCE- 
DURE C is not intended to access PROCEDURE B’s variables. This does not mean 
that PROCEDURE C is completely isolated from PROCEDURE B; PROCEDURE C 
is called by PROCEDURE B, so the pointer to the returning stack frame is a pointer to 
PROCEDURE B’s stack frame. In addition, PROCEDURE B can pass parameters to 
PROCEDURE C either on the stack or through variables global to both procedures 
(i.e., variables in the scope.of both procedures). eine | 


LEAVE (Leave Procedure) reverses the action of the previous ENTER instruction. The 
LEAVE instruction does.not have any operands. The LEAVE instruction copies the 
contents of the EBP register into the ESP register to release all stack space allocated to 
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the procedure. Then the LEAVE instruction restores the old value of the EBP register 
from the stack. This simultaneously restores the ESP register to its original value. A 
subsequent RET instruction then can remove any arguments and the return address 
pushed on the stack by the calling program for use by the procedure. 


3.8 FLAG CONTROL INSTRUCTIONS 


The flag control instructions change the state of bits in the EFLAGS register, as shown 
in Table 3-5. | 


3.8.1 Carry and Direction Flag Control Instructions 


The carry flag instructions are useful with instructions like the rotate-with-carry instruc- 
tions RCL and RCR. They can initialize the carry flag, CF, to a known state before 
execution of an instruction which copies the flag into an operand. 


The direction flag control instructions set or clear the direction flag, DF, which controls 
the direction of string processing. If the DF flag is clear, the processor increments the 
string index registers, ESI and EDI, after each iteration of a string instruction. If the DF 
flag is set, the processor decrements these index registers. | 


3.8.2 Flag Transfer Insiructions 


Though specific instructions exist to alter the CF and DF flags, there is no direct method 
of altering the other application-oriented flags. The flag transfer instructions allow a 
program to change the state of the other flag bits using the bit manipulation instructions 
once these flags have been moved to the stack or the AH register. 


The LAHF and SAHF instructions deal with five of the status flags, which are used 
primarily by the arithmetic and logical instructions. 


LAHF (Load AH from Flags) copies the SF, ZF, AF, PF, and CF flags to the AH register 


bits 7, 6, 4, 2, and 0, respectively (see Figure 3-21). The contents of the remaining bits 5, 
3, and 1 are left undefined. The contents of the EFLAGS register remain unchanged. 


SAHF (Store AH into Flags) copies bits 7, 6, 4, 2, and 0 from the AH register into the SF, 
ZF, AF, PF, and CF flags, respectively (see Figure 3-21). 


Table 3-5. Flag Control Instructions 


STC (Set Carry Flag) | | CF <1 
CLC (Clear Carry Flag) CF <0 


CMC (Complement Carry Flag) CF < — (CF) 
CLD (Clear Direction Flag) DF <0 
STD (Set Direction Flag) DF <— 1 
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THE BIT POSITIONS OF THE FLAGS ARE THE SAME, 
WHETHER THEY ARE HELD IN THE EFLAGS REGISTER 
OR THE AH REGISTER. BIT POSITIONS SHOWN AS 

0 OR 1 ARE INTEL RESERVED. DO NOT USE. 


24048613-21 


_ Figure 3-21. Low Byte of EFLAGS Register: 


The PUSHF and POPF instructions are not only useful for storing the flags in memory 
where they can be examined and modified, but also are useful for preserving the state of 
the EFLAGS register while executing a subroutine. 4 


PUSHF (Push Flags) pushes the lower word of the EFLAGS register onto the stack (s8e 
Figure 3-22). The PUSHFD instruction pushes the entire EFLAGS register onto the 
stack (the RF flag reads as clear, however). 


POPF (Pop Flags) pops a word from the stack into the EFLAGS register. Only bits 14, 
11, 10, 8, 7, 6, 4, 2, and 0 are affected with all uses of this instruction. If the privilege 
level of the current code segment is 0 (most privileged), the IOPL bits (bits 13 and 12) 
also are affected. If the I/O privilege level (IOPL) is 0, the IF flag (bit 9) also is affected. 
The POPFD instruction pops .a doubleword into the EFLAGS register, and it can 
change the state of the AC bit (bit 18) as well as the bits affected by a POPF instruction. 


“ > PUSHFD/POPFD 
- ae PUSHF/POPF _ 


BIT POSITIONS MARKED 0 OR 1 ARE INTEL RESERVED. 
DO NOT USE. 
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Figure 3-22. Flags Used with PUSHF and POPF 
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3.9 NUMERIC INSTRUCTIONS 


The Intel486 processor includes hardware and instructions for high-precision numeric 
operations on a variety of numeric data types, including 80-bit extended real and 64-bit 
long integer. Arithmetic, comparison, transcendental, and data transfer instructions are 
available. Frequently-used constants are also provided, to enhance the speed of numeric 
calculations. 


The numeric instructions are embedded in the instruction stream of the Intel486 proces- 
sor, as though they were being executed by a single device having both integer and 
floating-point capabilities. But the floating-point unit of the Intel486 CPU actually works 
in parallel with the integer unit, resulting in higher performance. 


Refer to Section 10.2 to confirm the presence of an Intel486 floating point unit. 


Part III of this manual, Chapters 14-18, describe the numeric instructions in more detail. 


3.10 SEGMENT REGISTER INSTRUCTIONS 


There are several distinct types of instructions which use segment registers. They are 
grouped together here because, if system designers choose an unsegmented model of 
memory organization, none of these instructions are used. The instructions which deal 
with segment registers are: | 


1. Segment- register transfer instructions. 


MOV ‘SegReg, «-- 
MOV ..., SegReg 
PUSH SegReg 
POP SegReg 
2. Control transfers to another executable segment. 
JMP far | 
CALL far 
RET far 


3. Data pointer instructions. 


LDS reg, 48-bit memory operand 
LES reg, 48-bit memory operand 
LFS reg, 48-bit memory operand 
LGS reg, 48-bit memory operand 
LSS reg, 48-bit memory operand 


4. Note that the following interrupt-related instructions also are used in unsegmented 
systems. Although they can transfer execution between segments when enon 
is used, this is transparent to the application programmer. 

INT n 
INTO 
BOUND 
IRET 
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3.10.1 Segment-Register Transfer Instructions 


Forms of the MOV, POP, and PUSH instructions also are used to load and store seg- 
ment registers. These forms operate like the general-register forms, except that one 
operand is a segment register. The MOV instruction cannot copy the contents of a 
segment register into another segment register. 


The POP and MOV instructions cannot place a value in the CS register (code segment); 
only the far control-transfer instructions affect the CS register. When the destination is 
the SS register (stack segment), interrupts are disabled until after the next instruction. 


On the Intel386 DX processor, loading a segment register always results in locked read 
and write cycles to set the Accessed bit. On the Intel486 processor, locked cycles are 
generated only if the Accessed bit is not already set. 


No 16-bit operand size prefix is needed when transferring data between a segment reg- 
ister and a 32-bit general register. 3 
3.10.2 Far Control Transfer Instructions © 


The far control-transfer instructions transfer execution to a destination in another seg- 
ment by replacing the contents of the CS register. The destination is specified by a far 
pointer, which is a 16-bit segment selector and a 32-bit offset into the segment. The far 
pointer can be an immediate operand or an operand in memory. 


Far CALL. An intersegment CALL instruction places the values held in the EIP and CS 
registers on the stack. 


Far RET. An intersegment RET instruction restores the values of the CS and EIP reg- 
isters from the stack. 


3.10.3 Data Pointer Instructions 


The data pointer instructions load a far pointer into the processor registers. A far 
pointer consists of a 16-bit segment selector, which is loaded into a segment register, and 
a 32-bit offset into the segment, which is loaded into a general register. 


LDS (Load Pointer Using DS) copies a far. pointer from the source operand into the DS 
register and a general register. The source operand must be a memory operand, and the 
destination operand must be a general register. 


Example: LDS ESI, STRING_X 
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Loads the DS register with the segment selector for the segment addressed by 
STRING_X, and loads the offset within the segment to STRING_X into the ESI 
register. Specifying the ESI register as the destination operand is a convenient way 
to prepare for a string operation, when the source string is not in the current data 
segment. | 


LES (Load Pointer Using ES) has the same effect as the LDS instruction, except the 
segment selector is loaded into the ES register rather than the DS register. 


Example: LES EDI, DESTINATION_X 


Loads the ES register with the segment selector for the segment addressed by DES- 
TINATION_X, and loads the offset within the segment to DESTINATION_X into 
the EDI register. This instruction is a convenient way to select a destination for 
string operation if the desired location is not in the current E-data Scement: : 


LFS (Load Pointer Using FS) has the same effect as the LDS instruction, except the FS 
register receives the segment selector rather than the DS register. 


LGS (Load Pointer Using GS) has the same effect as the LDS instruction, except the GS 
register receives the segment selector rather than the DS register. : 


LSS (Load Pointer Using SS) has the same effect as the LDS instruction, except the SS 
register receives the segment selector rather than the DS register. This instruction is 
especially important, because it allows the two registers which identify the stack (the SS 
and ESP registers) to be changed in one uninterruptible operation. Unlike the other 
instructions which can load the SS register, interrupts are not inhibited at the end of the 
LSS instruction. The other instructions, such as POP SS, turn off interrupts to permit 
the following instruction to load the ESP register without an intervening interrupt. Since 
both the SS and ESP registers can be loaded by the LSS instruction, there is no need to 
disable or re-enable interrupts. 


3.11 MISCELLANEOUS INSTRUCTIONS 


The following instructions do not fit in any of the previous categories, but are no less 
important. 


The BSWAP, XADD, and CMPXCHG instructions are not available on Intel386 DX or 
SX microprocessors. An Intel386 CPU can perform the same operations in multiple 
instructions. To use these instructions, always include functionally-equivalent code for 
Intel386 CPUs. Use the code in Figure 3-23 to determine whether these instructions can 
be used. : 


The INVD and WBINVD instructions cannot be implemented on earlier processors due 
to the introduction of on-chip cache on the Intel486 CPU. Use the code in Figure 3-23 
for petecune an Intel486 processor at runtime. 
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‘TITLE CPUID 
DOSSEG 
model 
stack 
-data 
fp_status 
id_mess ‘'This system nas a$'’ 
fp_d08? : ‘and an 4047 math coprocessor$’’ 
fp_4028? ‘Yand an Intel247™ math coprocessor$’! 
fp_60387 ‘‘and an Intel387™ math coprocessor$’! 
cAaab **n4@8b/8088 microprocessor$’’ 
cebb ‘*n028b microprocessor$’’ 
c38b | “Intel34b” microprocessor$!! 
c4ab : "'Intel4ab™ DX microprocessor/Intel4a?™ SX math coprocessor$!! 
c4Bbnfp ~ *"TIntel4¥ab SX microprocessor$!' | 
- period | a eg wg"! 544,10 
present_db ) 
present_chb g 
present_j8b 0 
present 44b 0 


The purpose of this code is to allow the user the ability to identify 
the processor and coprocessor that is currently in the system. The 
algorithm of the program is to first determine the processor id. 

When that is accomplished, the program continues to then identify 
whether a coprocessor exists in the system. If a coprocessor or 
‘integrated coprocessor exists, the program will identify the 
coprocessor. id- If one does not exist, the program then terminates. 


-code 


ax,ddata . 
ds, ax | | ; set segment register 


dx, offset sprint header message 
id_mess 


ah, Sh 


Figure 3-23. CPU_ID, MCP_ID Detection Code 
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4846 check 
Bits 12-15 are always set on the 4086 processor. 


pushf ; save EFLAGS 

pop bx ; Store EFLAGS in BX 

mov ; clear bits 12-15 

and ; in EFLAGS 

push ; Store enw EFLAGS value on stack 

popf ; replace current EFLAGS value 

pushf ; set new EFLAGS 

pop ax ; store new EFLAGS in AX 

and ax, 0f080h ; if bits 12-15 are set, then CPU 

cmp ax , Of 000h ; is an §04b/8088 

mov dx,offset cAdab ~~ . 3 Store 404b/4084 message 

mov preset_db,1 ; turn on 8046/4084 flag 

je check_f pu ; if CPU is 6086/8084, check for 
; 4087 


ad28b CPU Check 
Bits 12-15 are always clear on the 4@24b processor. 


or bx ,8f88Gh ; try to set bits 12-15 © 
push bx 

popf 

pushf | 

pop ax | 

and ax, 0f000h ; If bits 12-15 are cleared, then 


dx,offset ccdb ; CPU is a 2db 

present_dab ,@ ; turn off 8@4b/4048 flag 

present_c&b,1 ; turn on 2&b flag 

check_fpu * if CPU is 24b, check for Intel2d? 
. * microprocessor 


Intel38b CPU check : 

The AC bit, bit #18, is a new bit introduced in the EFLAGS register 

on the Intel4&b DX CPU to generate alignment faults. This bit can be set 
on the Intel4¥Ab DX CPU, but not on the Intel34b CPU. 


MOV bx,Sp * Save current stack pointer to 
; align it 
sp,not 3 * align stack to avoid AC fault 
db bbh 
* push original EFLAGS 
db bbh 
; get original EFLAGS 
db 
; save original EFLAGS 
db ; xor EAX, 4@808h 
; flip AC bit in EFLAGS 
dw ; upper ib-bits of xor constant 
db 
; save for EFLAGS 
db ; | 
; copy to EFLAGS 


Figure 3-23. CPU_ID, MCP_ID Detection Code (Contd.) 
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bbh 
; push EFLAGS 
bbh 
ax ; get new EFLAGS value 
_ bbh 
ax , CX ; if AC bit cannot be changed, 
; CPU is 
dx, offset ; Store Intelj&b microprocessor message 
c3ab 
present_cab ,@ ; turn off cab flag 
present_Jab,1 ; if CPU is Intel3&b CPU, now check for 
check_f pu ; Intel26?/Intelj&? math coprocessors 


4’b DX CPU and 48b DX CPU w/o FPU checking 


mov dx ,offset,c4Abnfp. ; store Intel4¥4b NFP message 
mov present_3ab ,0 ; turn off Intel3&b CPU flag 
mov present_44b,1 ; turn on Intel44b CPU flag 


Co-processor checking begins here for the &@4b/c&b/Intel3&b CPUs. 

The algorithm is to determine whether or not the floating-point 

status and control words can be written to, the correct coprocessor 

is then determined depending on the processor id- Coprocessor checks 

are first performed for an &@4b, 266 and an Intel4¥Sb DX CPU. If the 

coprocessor id is stillundetermined, the system must contain an Intel3&b 

CPU. The Intel3&b CPU may work with either an Intel24?7 or an Intel347 math coprocessor: 
infinity of the coprocessor must be checked to determine the correct 

coprocessor id. 


heck_fpu: So a . 
| fninit ; check for 404?/Intelc4?/Intel34? 
; math coprocessors 
mov fp_status,SaSah ; initialize temp word to non-zero value 
fnstsw fp_status ; save FP status word 
mov ax, fp_status ; check FP status word 
cmp  .al,@ . ; see if correct status with 
- : 3 written 
jne print_one ; jump if not Valid, no NPX 
; installed 
fnstcw fp-status ; save FP control word 
mov ax, fp_status ; check FP control word 
and ax, 103fh 3 See if selected parts looks OK 
cmp ax, 3fh | ; check that ones and zeroes 
; correctly read 
jne print_one ; jump if not Valid, no NPX installed 


cmp present_4ab,1 ; check if Intel4¥4b CPU flag is on 
je is_44b ; if so, jump to print Intel4&b CPU message 
jmp not_4ab ; else continue with Intel3&b CPU checking 


mov dx,offset ; store Intel44b CPU message 
cHab 
jmp print_one 


Figure 3-23. CPU_ID, MCP_ID Detection Code (Contd.) 
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not_4Ab: 


80287/8038? check for 


restore_EFLAGS: 


print_one: 


print_§?__2a?: 


print_f pu: 


cmp 
jne 


mov 
int 


fldi 


fldz 
fdiv 


fld 
fchs 
fcompp 


fstsw 
mov 
mov 
sahf 
jz 


mov 
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present_34b,1 
print_&?_28? 


ah, 9h 
elh 


the 386 CPU 


fp_status 
ax, fp_status 
dx,offset fp_4024? 


restore_EFLAGS 


dx,offset fp_a@38? 


ah, Sh 
2ih 
bbh 
CX 
bbh 


sp,bx 
exit 


ah, Sh 
elh 
exit 


ah, qh 

eih 

present_db,1 

dx, offset fp_dd? 
print—fpu 
dx,offset fp_&@24? 


ah, Sh 

eth 

exit 

dx,offset period 
ah, 4h 

eth 


ax, 4c@Oh 
elh 


start 


; check if Intel3&8b CPU flag is on 

s if Intel38b CPU flag not on, check NPX for 
; 6066/8048 cab 

; print out Intel38b CPU ID first 


® 
’ 
e 
: 
. 
1 


ry 
’ 


must use default control from 

FNINIT 

form infinity 

&04?/Intel24? math coprocessors says tinf = 


inf 


r 
? 
. 
? 
e 
? 
‘ 
? 
. 
? 


form negative infinity 

Intel38? math coprocessor says tinf <> -inf 
see if they are the same and 

remove them 

look at status from FCOMPP 


; store Intelc&? math coprocessor message 

; see if inities matched 

; jump if §087?/Intel24? math coprocessor is 
; present 4 

; store Intel3&? math coprocessor message 


; clear any pending fp exception 
; print NPX message 


; push ECX 


; restore original EFLAGS register 
; restore original stack pointer © 


; print out CPU ID with no NPX 


* print out &066/8088/24b first 


: if 4846/8084 flag is on 
; Store 404? message 


; else CPU = 24b, store Inteled? 
; math coprocessor message 


; print out NPX 


; print out a period of end message 


; terminate program — 


Figure 3-23. CPU_ID, MCP_ID Detection Code (Contd.) 
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3.11.1 CPU_ID Detection Code > 


The CPU identification assembly code (Figure 3-23) will determine for the user which 
Intel microprocessor is installed, and if an Intel math coprocessor is present. If an 
Intel486 microprocessor is installed, the program will determine if the CPU has an inte- 
grated floating-point unit (FPU). Refer to Section 10.2 and 19.2.3 to guarantee proper 
configuration of the Intel486 microprocessor (with and without FPU). Please understand 
that only these code sequences have been validated by Intel to detect CPU_ID, math 
coprocessor function, and initialize accordingly. Any other approach may prounee 
unpredictable results in future processors. : 


3. "1 2 Address Caleulation Instruction 


LEA (Load Effective Address) puts tiie 32-bit offset to a source operand in memory 
(rather than its contents) into the destination operand. The source operand must be in 
memory, and the destination operand must be a general register. This instruction isespe- 
cially useful for initializing the ESI or EDI registers before the execution of string 
instructions. or. initializing the EBX register before an XLAT instruction. The LEA 
instruction can perform any indexing or scaling which may be needed. 


Example: LEA EBX, -EBCDIC_TABLE »..,°- 


Causes the processor to sngliee the address of the starting location of the table 
labeled EBCDIC_TABLE into EBX. 


3.11.3 No-Operation Instruction 


NOP (No Operation) occupies a byte of code space. When executed, it increments the 
EIP register to point at the next instruction, but affects nothing else. 


3. 11.4 Translate Instruction 


XLATB (Translate) replies ie contents of the AL fepieiet Sitti a ie read from a 
translation table in memory. The contents of the AL register are interpreted as an 
unsigned index into this table, with the contents of the EBX register used as the base 
address. The XLAT instruction does the same operation and loads its result into the 
same register, but it gets the byte operand from memory. This function is used to convert 
character codes from one alphabet into another. For example, an ASCII code could be 
used to look up its EBCDIC equivalent. 


3.11.5 Byte Swap Instruction 


BSWAP (Byte Swap) reverses the byte order in a 32-bit register operand. Bit positions 
7..0 are exchanged with 31..24, and bit positions 15..8 are exchanged with 23..16. This 
' instruction is useful for converting between “big-endian” and “little-endian” data for- 
mats. Executing this instruction twice in a row leaves the register in the same value as 
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before. This instruction also Speeds execution of decimal arithmetic by operating on four 
digits at a time as shown in Figure 3-24. See introduction for Section 3.11 regarding 
Intel386 processors when using BSWAP. 


3.11.6 Exchange-and-Add Instruction 


XADD (Exchange and Add) takes two operands: a source operand in a register and a 
destination operand in a register or memory. The source operand is replaced with the 
destination operand, and the destination operand is replaced with the sum of the source 
and destination operands. The flags reflect the result of the addition. This instruction 
can be combined with LOCK in a multiprocessing system to allow multiple processors to 
execute one do loop. See introduction for Section 3.11 regarding Intel386 processors 
when using XADD. 


3.11.7 Compare-and-Exchange Instruction 


CMPXCHG (Compare and Exchange) takes three operands: a source operand in a reg- 
ister, a destination operand in a register or memory, and the accumulator (i.e., the AL, 
AX, or EAX register, depending on operand size). If the values in the destination oper- 
and and the accumulator are equal, the destination operand is replaced with the source 
operand. Otherwise, the original value of the destination operand is loaded into the 
accumulator. The flags reflect the result which would have been obtained by subtracting 
the destination operand from the accumulator. The ZF flag is set if the values in the 
destination operand and the accumulator were equal, otherwise it is cleared. : 


The CMPXCHG instruction is useful for testing and modifying semaphores. It performs 
a check to see if a semaphore is free. If the semaphore is free it is marked allocated, 
otherwise it gets the ID of the current owner. This is all done in one uninterruptible 
operation. In a single processor system, it eliminates the need to switch to level 0 to 
disable interrupts to execute multiple instructions. For multiple processor systems, 
CMPXCHG can be combined with LOCK to perform all bus cycles atomically. See 
introduction for Section 3.11 regarding Intel386 processors when using CMPXCHG. 
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$title (’ASCII Add/Subtract With BSWAP’) 


name 


code 


we Ye Ve Ve Neo No Ve 


add10 


mov 
bswap 
add 
mov 
bswap 
add 


rer 


mov 
and 
sub 
shr 
and 


add 


or 
bswap 
mov 
rel 
ret 


addi10 


we Ne Se Ve 


~e “ese Veo 


sub10 


segment 


proc 


proc 


ASCII arith 


near 


eax, [esi] 

eax 

eax, 96969696H 
ecx, [ebx] 

ecx 

eax,ecx 

ch,l 

edx,eax 

eax, OFOFOFOFOH 
edx, eax 

eax, 4 

eax, OAOAQAQAH 


eax, edx 


eax, 30303030H 
eax 

[edi] ,eax 
ch,1 


endp 


near 


; Perform ASCII add using BSWAP instruction on 


Get low four digits 
Put into big endian 


we Me Vo Ye Ve Veo Noe We We Veo No Vo Yeo Neo Ne Ne Vo Ya Veo 


er public use32 


Add a string of 4 ASCII decimal digits together. 
The upper nibble MUST be 3. 

DS: [ESI] points at operand 1 

DS: [EBX] points at operand 2 

DS: [EDI] points at the destination 


1486 CPU. 


of first operand 
form . 
so carries work 

of second operand 
form 

Do the add with inter-digit carry 

Save the carry flag 

Save the value 

Extract upper nibble | 
Zero out upper nibble of each byte 
Prepare for fixup 

If non-zero upper nibble then form 

10 as. adjustment value to lower nibble 
Form adjusted lower nibble value 

upper nibbles may be 1 from ad jastment 
Convert back to ASCII 

Back to little-endian 

Set destination 

Restore carry 


Get low four digits 
Put into big-endian 
Adjust for addition 


Sibixact a string of 4 ASCII decimal digits together. 
The upper nibble must be 3. 

DS: [ESI] points at operand 1 
DS: [EBX] points at operand 2 
DS: [EDI] points at the destination 


[ESI] - [EBX] 


; Perform ASCII subtract using BSWAP instruction on i486 CPU. 
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Figure 3-24. ASCII Arithmetic Using BSWAP 
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mov 
bswap 
mov 
bswap 
sub 
rer 
mov 
and 
sub 
shr 
and 


add 


Or 
bswap 
mov 
rel 
ret 


sub10 


code e 
end 
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eax, [esi] 

eax , 
ecx, [ebx] 

ecx 

eax, @Cx 

ch,1 

edx, eax 

eax, OFOFOFOFOH 
edx, eax 

eax, 4 

eax, ODAQAQAODAH 


eax, edax 


eax, 30303030H 
eax 

[edi] ,eax 
ch,l 


endp 


nds 


™e Me Me Ve Ne Ne Ve Ve Ve Ve Ve Ve Yeo Ve Ve Se Ye Vo 


Get low four digits of first operand 
Put into big-endian form 

Get low four digits of second operand 
Put into big endian form 

Do the subtract with inter-digit borrow 
Save the carry flag 

Save the value 

Extract upper nibble, F if borrow happened 
zero out upper nibble of each byte 
Prepare for fixup 

If non-zero upper nibble then form 

10 as adjustment value to lower nibble 
Form adjusted lower nibble value 

upper nibbles may be 1 from adjustment 
Convert back to ASCII 

Back to little-endian 

Set destination 

Restore borrow 
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Figure 3-24. ASCII Arithmetic Using BSWAP (Contd.) 
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System Architecture 


CHAPTER 4 
_ SYSTEM ARCHITECTURE 


Many of the architectural features of the Intel486 processor are used: only by system 
programmers. This chapter presents an overview of these features. Application program- 
mers may need to read this chapter, and the following chapters which describe the use of 
these features, in order to understand the hardware facilities used by system program- 
mers to create a reliable and secure environment for application programs. The system- 
level architecture also supports powerful debugging features which application 
programmers may wish to use during program development. 


The system-level features of the architecture include: 


_- Memory Management 
Protection | 
Multitasking 
Input/Output 

_ Exceptions and Interrupts 

Initialization 
Coprocessing and Multiprocessing 
Debugging 7 
Cache Management 


These features are supported. by registers and instructions, all of which are introduced in | 
the following sections. The purpose of this chapter is not to explain each feature in 
detail, but rather to place the remaining chapters of Part II in perspective. When a 
register or instruction is mentioned, it is cc ia by an explanation or a reference 
to a following et 3 a 


4.1 SYSTEM REGISTERS 
The registers intended for use by system programmers fall into these categories: 


EFLAGS Register , 
Memory-Management Registers © 
Control Registers | 
Debug Registers 

Test Registers 


The system registers control the execution environment of application programs. Most 
systems restrict access to these facilities by application programs (although systems can 
be built where all programs run at the most privileged level, in which case application 
programs are allowed to modify these facilities)... | 
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4.1.1 System Flags 


The system flags of the EFLAGS register control I/O, maskable interrupts, debugging, 
task switching, and the virtual-8086 mode. An application program should ignore these 
flags, and should not attempt to change their state. In most systems, an attempt to 
change the state of.a system flag by an application program results in an exception. 
These flags are shown i in Figure o 1. 


AC (Atienment Check Mode, bit 18) 


Setting the AC flag and the AM bit i in the CRO register enables alignment checking on 
memory references. An alignment-check exception is generated when reference is made 
to an unaligned operand, such as a word at an odd byte address or a doubleword at an 
address which is not an integral multiple of four. Alignment-check exceptions are gen- 
erated only in user mode (privilege level 3). Memory references which default to privi- 
lege level 0, such as segment descriptor loads, do not generate this exception even when 
caused by a memory reference in user- -mode. 


The alignment check interrupt can be used to check alignment of data. This is useful 
when exchanging data with other processors like i860™ 64-bit microprocessor which 
require all data to be aligned. The alignment check interrupt can also be used by inter- 
preters to flag some pointers as special by misaligning the pointer. This eliminates over- 
head of checking each pointer and only handles the special pointer when used. 


11 
109876543210 


ALIGNMENT CHECK ml 


VIRTUAL 8086 MODE (VM) 
RESUME FLAG (RF) 

NESTED TASK (NT) 

VO PRIVILEGE LEVEL (IOPL) 
INTERRUPT ENABLE FLAG (IF) 
TRAP FLAG (TF) 


BIT POSITIONS SHOWN AS 0 OR 1 ARE INTEL RESERVED. 
DO NOT USE. ALWAYS SET THEM TO THE VALUE PREVIOUSLY READ. 
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Figure 4-1. System Flags 
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VM (Virtual-8086 Mode, bit 17) 


Setting the VM flag places the processor in virtual-8086 mode, which is an emulation of 
the programming environment of an 8086 processor. See Chapter 23 for more 
information. 


RF (Resume Flag, bit 16) 


The RF flag temporarily disables debug exceptions so that an instruction can be 
restarted after a debug exception without immediately causing another debug exception. 
When the debugger is entered, this flag allows it to run normally rather than recursively 
calling itself until the stack overflows. The RF flag is not affected by the POPF, POPFD 
or IRET instructions. See Chapter 9 and Chapter 11 for details. 


NT (Nested Task, bit " 


The processor uses the nested task flag to baatrO chaining of cpseainied and called 
tasks. The NT flag affects the operation of the IRET instruction. The NT flag is affected 
by the POPF, POPFD, and IRET instructions. Improper changes to the state of this flag 
can generate unexpected exceptions in application programs. See Chapter 7 and 
Chapter 9 for more information on nested tasks. 


IOPL me en Level, bits 12 and ga 


The I/O privilege level is used by the protection mechanism to control access to the I/O 
address space. The privilege level of the code segment currently executing (CPL) and the 
IOPL determine whether this field can be modified by the POPF, POPED, and IRET 
instructions. See Chapter 8 for more information. 


IF (Interrupt-Enable Flag, bit 9) 


Setting the IF flag puts the processor in a mode in which it responds to maskable inter- 
rupt requests (INTR interrupts). Clearing the IF flag disables these interrupts. The IF 
flag has no effect on either exceptions or nonmaskable interrupts (NMI interrupts). The 
CPL and IOPL determine whether this field can be modified by the CLI, STI, POPF, 
POPFD, and IRET instructions. See Chapter 9 for more details about interrupts. 


TF (Trap Flag, bit 8) 


Setting the TF flag puts the processor into single-step mode for debugging. In this mode, 
the processor generates a debug exception after each instruction, which allows a pro- 
gram to be inspected as it executes each instruction. Single-stepping is just one of several 
debugging features of the Intel486 processor. If an application program sets the TF flag 
using the POPF, POPFD, or IRET instructions, a debug i a is generated. See 
Chapter 9 and Chapter 11 for more information. 
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4.1.2 Memory-Management Registers 


Four registers of the Intel486 processor specify the location of the data structures which 
control segmented memory management, as shown in Figure 4-2. Special instructions are 
provided for loading and storing these registers. The GDTR and IDTR registers may be 
loaded with instructions which get a six-byte block of data from memory. The LDTR and 
TR registers may be loaded with instructions which take a 16-bit segment selector as an 
operand. The remaining bytes of these registers are then loaded automatically by the 
processor from the descriptor referenced by the operand. 


Most systems will protect the instructions which load memory-management registers 
from use by application programs (although a system in which no protection is used is 
possible). 


GDTR Global Descriptor Table Register 


This register holds the 32-bit base address and 16-bit segment limit for the global 
descriptor table (GDT). When.a reference is made to data in memory, a segment selec- 
tor is used to find a segment descriptor in the GDT or LDT. A segment descriptor 
contains the base address for a segment. See Chapter 5 for an explanation 
segmentation. s : 


LDTR 1684 Descriptor Table Register 


This register holds the 32-bit base address, 16-bit segment limit, and 16-bit segment 
selector for the local descriptor table (LDT). The segment which contains the LDT has 
a segment descriptor 1 in the GDT. There is no segment selector for the GDT. When a 
reference is made to data in memory, a segment selector is used to find a segment 
descriptor in the GDT or LDT. A segment descriptor contains the base —— fora . 

segment. See Chapter 5 for an explanation of segmentation. 
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Figure 4-2. Memory Management Registers 
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IDTR Interrupt Descriptor Table Register 


This register holds the 32-bit base address and 16-bit segment limit for the interrupt 
descriptor table (IDT). When an interrupt occurs, the interrupt vector is used as an 
index to get a gate descriptor from this table. The gate descriptor contains a pointer used 
to start up the interrupt handler. See Chapter 9 for details of the interrupt mechanism. 


TR Task Register 


This register holds the 32-bit base address, 16-bit segment limit, descriptor attributes, 
and 16-bit segment selector for the task currently being executed. It references a task 
state segment (TSS) descriptor in the global descriptor table. See Chapter 7 for a 
description of the multitasking features of the Intel486 processor. | 


4.1.3 Control Registers 


Figure 4-3 shows the format of the control registers CRO, CR1, CR2, and CR3. Most 
systems prevent application programs from loading the control registers (although an 
unprotected system would allow this). Application programs can read this register to 
determine if a numerics coprocessor is present. Forms of the MOV instruction allow the 
register to be loaded from or stored in general registers. For example: 


MOV EAX, CRB 
MOV CR3, EBX 


The CRO register contains system control flags, which control modes or indicate states 
which apply generally to the processor, rather than to the execution of an individual task. 
A program should not attempt to change any of the reserved bit positions. Reserved bits 
should always be set to the value previously read. | 
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Figure 4-3. Control Registers 
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The LMSW instruction can only modify the lower 16 bits of CRO. 
PG (Paging, bit ? 


This bit enables paging when set and disables paging when clear. See Chapter 5 for more 
information about paging. See Chapter 10 for information on how to enable paging. 


When an exception is generated during paging, the CR2 register has the 32-bit linear 
address which caused the exception. See Chapter 9 for more information about handling 
exceDHOnS penetaied during paging (page ou) 


When paging is used, the CR3 register has the 20 most- sientiGuit bits of the address of 
the page directory (the first-level page table). The CR3 register is also known as the 
page-directory base register (PDBR). Note that the page directory must be aligned to a 
page boundary, so the low 12 bits of the register are ignored. Unlike the Intel386 DX 
ee the Patel? DE asslene Eo to two of mee bits. These are: 


PCD (Page. -Level Cache Disable, bit 4 of cR3) 


The state of this bit is devour on. 1 the PCD at during bus cycles which are not paged, 
such as interrupt acknowledge cycles, when paging is enabled. It is driven during all bus 
cycles when paging is not enabled. The PCD pin is used to control caching in an external, 
cache on a cycle-by-cycle basis. 


PWT Cae -Level Writes eens bit 3 of coe! 


The state of this bit is en on thie PWT pin during bus cycles which are not quae 
such as interrupt acknowledge cycles, when paging is enabled. It is driven during all bus 
cycles when paging is not enabled. The PWT pin is used to control write- -through i in an 
external cache on a cycle-by-cycle basis. — 


CD (Cache Disable, bit 30) 


This bit enables the internal cache when clear and disables the cache when set. Cache. 
misses do not cause cache line fills when the bit is set. Note that cache hits are not: 
disabled; to completely disable the cache, the cache must be flushed. See Chapter 12 for 
information on caching. 


NW (Not Write-through, bit 29) _ 


This bit enables write-throughs and cache invalidation cycles when clear and disables 
invalidation cycles and write-throughs which hit in the cache when set. See Chapter 12. 
for information on caching. peas write- ‘throughs can allow stale data to appear in 
the cache. : 
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AM (Alignment Mask, bit 18) 


This bit allows alignment checking when set and disables alignment checking when clear. 
Alignment checking is performed only when the AM bit is set, the AC flag is set, and the © 
CPL is 3 (user mode). 


WP (Write Protect, bit 16) 


When set, this bit write-protects user-level pages against supervisor-level writes. When 
this bit is clear, read-only user-level pages can be written by a supervisor process. This 
feature is useful for implementing the copy-on-write method of creating a new process 
(forking) used by some operating systems, such as UNIX. 


NE (Numeric Error, bit 5) 


This bit enables the standard mechanism for reporting floating-point numeric errors 
when set. When NE is clear and the IGNNE# input is active, numeric errors are 
ignored. When the NE bit is clear and the IGNNE# input is inactive, a numeric error 
causes the processor to stop and wait for an interrupt. The interrupt is generated by 
using the FERR# pin to drive an input to the interrupt controller (the FERR# pin 
emulates the ERROR# pin of the Intel287™ and Intel387 DX coprocessors). The NE 
bit, IGNNE# pin, and FERR# pin are used with external logic to implement PC-style 
error reporting. __ | 


ET (Extension Type, bit 4) 


This bit is one to indicate support of Intel387 DX math coprocessor instructions (Intel 
reserved). 


TS (Task Switched, bit 3) 


The processor sets the TS bit with every task switch and tests it when interpreting. 
floating-point arithmetic instructions. This bit allows delaying save/restore of numeric 
content until the numeric data is actually used. The CLTS instruction will clear this bit. 


EM (Emulation, bit 2) 


When the EM bit is set, execution of a numeric instruction generates the coprocessor- 
not-available exception. The EM bit must be set in the Intel486 SX microprocessor. 


MP (Math Present, bit 1) 


On the 286 and Intel386 DX processors, the MP bit controls the function of the WAIT 
instruction, which is used to synchronize with a coprocessor. When running 286 and 
Intel386 DX programs on processors with the Intel486 FPU, this bit should be set. The 
MP bit should be reset in the Intel486 SX CPU. | 
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PE (Protection Enable, bit 0) 


Setting the PE bit enables segment-level protection. See Chapter 6 for more information 
about protection. See Chapter 10 and Chapter 22 for information on how to enable 
paging. | ee 


4.1.4 Debug Registers 


The debug registers bring advanced debugging abilities to the Intel486 processor, includ- 
ing-data breakpoints and the ability to set instruction breakpoints without modifying 
code segments (useful in debugging ROM-based software). Only programs executing at 
the highest privilege level can access. these registers. See Chapter 11 for a complete 
description of their formats and use. The debug registers are shown in Figure 4-4. 


4.1.5 Test Registers 


The test registers are not a formal part of the architecture. They are an implementation- 
dependent facility provided for testing the translation lookaside buffer (TLB) and the 
cache. See Chapter 10 for a complete description of their formats and use. The test 
registers are shown in Figure 4-5. ™ Oo = — 


-DR7 


or 


31 23 45 7 0 
SELENE ES 
3 2 1141] 0 E 2l1\ilolo 
0.000000000000000(SIs/S/0 00000000 a 

) RESERVED | | 


es RESERVED | 


DR6 


DR5 


| DR4 


! | --._ BREAKPOINT 0 LINEAR ADDRESS a 


DR1 
DRO 


NOTE: 0 MEANS INTEL RESERVED. DO NOT DEFINE. 


 240486i4-4 


Figure 4-4. Debug Registers 
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Figure 4-5. Test Registers 


4.2 SYSTEM INSTRUCTIONS 


System instructions deal with functions such as: 


1. Verification of pointer parameters (see Chapter 6): 


Useful to Protected from 


Adjust RPL 
Load Access Rights 
Load Segment Limit 
Verify for Reading 

Verify for Writing 
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2. Addressing descriptor tables (see Chapter 5): 


Useful to Protected from 


Load LDT Register Yes 
Store LDT Register , 

Load GDT Register 
Store GDT Register 


3. Multitasking (see Chapter 1): 


Useful to Protected from 
LTR Load Task Register No Yes 
STR Store Task Register Yes No 


4. aaunechhiaiicd Numerics (see Part III): 


Clear TS bit in CRO 
Escape Instructions 

- Wait Until 
Coprocessor Not Busy 


5. Input _ Output (see Chapter 8): | 


Useful to Protected from 


Input 

Output 

Input String 
Output String 


6. Interrupt Battal (see Chapter 9): 


Useful to- Protected from 


Clear IF flag 


Store IF flag 
Load IDT Register | 
Store IDT Register 
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7. Debugging (see Chapter 11): 


Saat Useful to Protected from 
MOV Load and store debug No Yes 
registers ! 


8. Cache Management: 


er Useful to Protected from 


INVD Invalidate cache, No Yes 
no write-back 

WBINVD Invalidate cache, No Yes 
with write-back ' 

INVLPG Invalidate TLB entry No Yes 


9. System Control: 


een Useful to Protected from 


Store MSW No No 


Load MSW | No Yes 
Load And Store Control Register No Yes 
Halt Processor No Yes 
Bus Lock | No Can Be 


The SMSW and LMSW instructions are provided for compatibility with the 286 pro- 
cessor. A program for the Intel486 processor should not use these instructions. A pro- 
gram should access the Control Registers using forms of the MOV instruction. The 
LMSW instruction does not affect the PG, CD, NW, AM, WP, NE or ET bits, and it 
cannot be used to clear the PE bit. 


The HLT instruction stops the processor until an enabled interrupt or RESET signal is 
received. (Note that the NMI interrupt is always enabled.) A special bus cycle is gener- 
ated by the processor to indicate halt mode has been entered. Hardware may respond to 
this signal in a number of ways. An indicator light on the front panel may be turned on. 
An NMI interrupt for recording diagnostic information may be generated. Reset initial- 
ization may be invoked. Software designers may need to be aware of the response of 
hardware to halt mode. 


The LOCK instruction prefix is used to invoke a locked (atomic) read-modify-write 
operation when modifying a memory operand. The LOCK# signal is asserted and the 
processor does not respond to requests for bus control during a locked operation. This 
mechanism is used to allow reliable communications between processors in multiproces- 
sor systems. 3 


In addition to the chapters mentioned above, detailed information about each of these 
instructions can be found in the instruction reference chapter, Chapter 26. 
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CHAPTER 5 
MEMORY MANAGEMENT 


Memory management is a hardware mechanism which lets operating systems create sim- 
plified environments for running programs. For example, when several programs are 
running at the same time, they must each be given an independent address space. If they 
all had to share the same address space, each would have to perform difficult and time- 
consuming checks to avoid interfering with the others. 


Memory management consists of segmentation and paging. Segmentation is used to give 
each program several independent, protected address spaces. Paging is used to support 
an environment where large address spaces are simulated using a small amount of RAM 
and some disk storage. System designers may choose to use either or both of these 
mechanisms. When several programs are running at the same time, either mechanism 
can be used to protect programs against interference from other programs. 


Segmentation allows memory to be completely unstructured and simple, like the memory 
model of an 8-bit processor, or highly structured with address translation and protection. 
The memory management features apply to units called segments. Each segment is an 
independent, protected address space. Access to segments is controlled by data which 
describes its size, the privilege level required to access it, the kinds of memory references 
which can be made to it (instruction fetch, stack push or pop, read operation, write 
operation, etc.), and whether it is present in memory. 


Segmentation is used to control memory access, which is useful for catching bugs during 
program development and for increasing the reliability of the final product. It also is 
used to simplify the linkage of object code modules. There is no reason to write position- 
independent code when full use is made of the segmentation mechanism, because all 
memory references can be made relative to the base addresses of a module’s code and 
data segments. Segmentation can be used to create ROM-based software modules, in 
which fixed addresses (fixed, in the sense that they cannot be changed) are offsets from 
a segment’s base address. Different software systems can have the ROM modules at 
different physical addresses because the segmentation mechanism will direct all memory 
references to the right place. 


In a simple memory architecture, all addresses refer to the same address space. This is 
the memory model used by 8-bit microprocessors, such as the 8080 processor, where the’ 
logical address is the physical address. The Intel486 processor can be used in this way by 
mapping all segments into the same address space and keeping paging disabled. This 
might be done where an older design is being updated to 32-bit technology without also 
adopting the new architectural features. | 


An application also could make partial use of segmentation. A frequent cause of soft- 
ware failures is the growth of the stack into the instruction code or data of a program. 
Segmentation can be used to prevent this. The stack can be put in an address space 
separate from the address space for either code or data. Stack addresses always would 
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refer to the memory in the stack segment, while data addresses always would refer to 
memory in the data segment. The stack segment would have a maximum size enforced by 
hardware. Any attempt to grow the stack beyond this size would generate an exception. 


A complex system of programs may make full use of segmentation. For example, a 
system in which programs share data in real time can have precise control of access to 
that data. Program bugs appear as exceptions generated when a program makes 
improper access. This is useful as an aid to debugging during program development, and 
it also may be used to trigger error-recovery procedures in systems delivered to the end 
user. , 


Segmentation hardware translates a segmented (logical) address into an address for a 
continuous, unsegmented address space, called a linear address. If paging is enabled, 
paging hardware translates a linear address into a physical address. If paging is not 
enabled, the linear address is used as the physical address. The physical address appears 
on the address bus coming out of the processor. 


Paging is a mechanism used to simulate a large, unsegmented address space using a 
small, fragmented address space and some disk storage. Paging provides access to data 
structures larger than the available memory space by keeping them partly in memory and 
Pay on disk. | | , | 


Paging is applied to units of 4K bytes called pages. When a program attempts to access a 
page which is on disk, the program is interrupted in a special way. Unlike other excep- 
tions and interrupts, an exception generated due to address translation, restores the © 
contents of the processor registers to values which allow the exception-generating 
instruction to be re-executed. This special treatment is called instruction restart. It allows 
the operating system to read the page from disk, update the mapping of linear addresses 
to physical addresses for that page, and restart the program. ‘This process is es at 
to the program. 


If an operating system never sets bit 31 of the CRO register (the PG bit), ‘the paging 
mechanism will never be enabled. Linear addresses will be used as physical addresses. 
This might be done where a design using a 16-bit processor is being updated to use a 
32-bit processor. An operating system written for a 16-bit processor does not use paging 
because the size of its address space is so small (64K bytes) that it is more efficient to 
ay entire segments between RAM and disk, rather than individual pages. 


Paging would be enabled for operating systems which can support demand-paged virtual 
memory, such as UNIX. Paging is transparent to application software, so an operating 
system intended to support application programs written for 16-bit processors may run 
those programs with paging enabled. Unlike paging, segmentation is not transparent to 
application programs. Programs which use segmentation must. be run with the “oo 
they were designed to use. bs 7 | 
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5.1 SELECTING A SEGMENTATION MODEL 


A model for the segmentation of memory is chosen on the basis of reliability and per- 
formance. For example, a system which has several programs sharing data in real time - 
would get maximum performance from a model which checks memory references in 
hardware. This would be a multi-segment model. | 


At the other extreme, a system which has just one program may get higher performance 
from an unsegmented or “flat” model. The elimination of “far” pointers and segment- 
override prefixes reduces code size and increases execution speed. Context switching is 
faster, because the contents of the segment registers no longer have to be saved or 
restored. 


Some of the benefits of segmentation also can be provided by paging. For example, data 
can be shared by mapping the same pages onto the address space of each program. 


5.1.1 Flat Model 


The simplest model is the flat model. In this model, all segments are mapped to the 
entire physical address space. A segment offset can refer to either code or data areas. To 
the greatest extent possible, this model removes the segmentation mechanism from the 
architecture seen by either the system designer or the application programmer. ‘This 
might be done for a programming environment like UNIX, which supports paging but 
does not support segmentation. | 


A segment is defined by a segment descriptor. At least two segment descriptors must be 
created for a flat model, one for code references and one for data references. Both 
descriptors have the same base address value. Whenever memory is accessed, the con- 
tents of one of the segment registers are used to select a segment descriptor. The seg- 
ment descriptor provides the base address of the segment and its limit, as well as access 
control information (see Figure 5-1). 


SEGMENT . SEGMENT PHYSICAL 
REGISTERS DESCRIPTORS MEMORY 


T= esse 


744 BASE ADDRESS 


Figure 5-1. Flat Model 
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ROM usually is put at the top of the physical address space, because the processor 
begins execution at OFFFFFFFOH. RAM is placed at the bottom of the address space 
because the initial base address for the DS data segment after reset initialization is 0. 


For a flat model, each descriptor has a base address of 0 and a segment limit of 4 
gigabytes. By setting the segment limit to 4 gigabytes, the segmentation mechanism is 
kept from generating exceptions for memory references which fall outside of a segment. 
Exceptions could still be generated by the paging or segmentation protection mecha- 
nisms, but these also can be removed from the memory model. 


5.1.2 Protected Flat Model 


The protected flat model is like the flat model, except the segment limits are set to 
include only the range of addresses for which memory actually exists. A general- 
protection exception will be generated on any attempt to access unimplemented mem- 
ory. This might be used for systems in which the paging mechanism is disabled, because 
it provides a minimum level of hardware protection against some kinds of program bugs. 


In this model, the segmentation hardware prevents programs from addressing non- 
existent memory locations. The consequences of being allowed access to these memory 
locations are hardware-dependent. For example, if the processor does not receive a 
READY*#¥ signal (the signal used to acknowledge and terminate a bus eycre); the bus 
cycle does not terminate and program execution stops. 


Although no program should make an atemapt to access these memory locations, an 
attempt may occur as a result of program bugs. Without hardware checking of addresses, 
it is possible that a bug could suddenly stop program execution. With hardware checking, 
programs fail in a controlled way. A diagnostic message can appear and recovery proce- 
dures can be attempted. | 


An example of a protected flat model is shown in Figure 5-2. Here, segment descriptors 
have been set up to cover only those ranges of memory which exist. A code and a data 
segment cover the EPROM and DRAM of physical memory. The code segment limit can 
be optionally set to allow access to DRAM area. The data segment limit must be set to 
the sum of EPROM and DRAM sizes. If memory- mapped I/O is used, it can be 
addressed just beyond the end of DRAM area. 


5.1.3 Multi-Segment Model 


The most sophisticated model is the multi-segment model. Here, the full capabilities of 
the segmentation mechanism are used. Each program is given its own table of segment 
descriptors, and its own segments. The segments can be completely private to the pro- 
gram, or they can be shared with specific other programs. Access between programs and 
particular segments can be individually controlled. 
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BASE ADDRESS 


240486i5-2 


Figure 5-2. Protected Flat Model 


Up to six segments can be ready for immediate use. These are the segments which have 
segment selectors loaded in the segment registers. Other segments are accessed by load- 
ing their segment selectors into the segment registers (see Figure 5-3). 


Each segment is a separate address space. Even though they may be placed in adjacent. 
blocks of physical memory, the segmentation mechanism prevents access to the contents 
of one segment by reading beyond the end of another. Every memory operation is 
checked against the limit specified for the segment it uses. An attempt to address mem- 
ory beyond the end of the segment generates a general-protection exception. 


The segmentation mechanism only enforces the address range specified in the segment 
descriptor. It is the responsibility of the operating system to allocate separate address 
ranges to each segment. There may be situations in which it is desirable to have seg- 
ments which share the same range of addresses. For example, a system may have both 
code and data stored in a ROM. A code segment descriptor would be used when the 
ROM is accessed for instruction fetches. A data segment descriptor would be used when 
the ROM is accessed as data. | | 7 as — 


5.2 SEGMENT TRANSLATION - 


A logical address consists of the 16-bit segment selector for its segment and a 32-bit 
offset into the segment. A logical address is translated into a linear address by adding 
the offset to the base address of the segment. The base address comes from the segment 
descriptor, a data structure in memory which provides the size and location of a segment, 
as well as access control information. The segment descriptor comes from one of two 
tables, the global descriptor table (GDT) or the local descriptor table (LDT). There is 
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Figure 5-3. Multi-Segment Model 


one GDT for all programs in the system, and one LDT for each separate program being 
run. If the operating system allows, different programs can share the same LDT. The 
system also may be set up with no LDTs; all programs will then use the GDT. 


Every logical address is associated with a segment (even if the system maps all segments 
into the same linear address space). Although a program may have thousands of seg- 
ments, only six may be available for immediate use. These are the six segments whose 
segment selectors are loaded in the processor. The segment selector holds information 
used to translate the logical address into the corresponding linear address. | 


Separate segment registers exist in the processor for each kind of memory reference (code 
space, stack space, and data spaces). They hold the segment selectors for the segments 
currently in use. Access to other segments requires loading a segment register using a 
form of the MOV instruction. Up to four data spaces may be available at the same time, 
thus providing a total of six segment registers. © | : i | 
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When a segment selector is loaded, the base address, segment limit, and access control 
information also are loaded into the segment register. The processor does not reference 
the descriptor tables again until another segment selector is loaded. The information 
saved in the processor allows it to translate addresses without making extra bus cycles. In 
systems in which multiple processors have access to the same descriptor tables, it is the 
responsibility of software to reload the segment registers when the descriptor tables are 
modified. If this is not done, an old segment descriptor cached in a segment register 
might be used after its memory-resident version has been modified. 


The segment selector contains a 13-bit index into one of the descriptor tables. The index 
is scaled by eight (the number of bytes in a segment descriptor) and added to the 32-bit 
base address of the descriptor table. The base address comes from either the global 
descriptor table register (GDTR) or the local descriptor table register (LDTR). These 
registers hold the linear address of the beginning of the descriptor tables. A bit in the 
segment selector specifies which table to use, as shown in Figure 5-4. 


_ The translated address is the linear address, as shown in Figure 5-5. If paging is not 
used, it is also the physical address. If paging is used, a second level of address transla- 
tion produces the physical address. This translation is described in Section 5.3. 


5.2.1 Segment Registers 


Each kind of memory reference is associated with a segment register. Code, data, and 
stack references each access the segments specified by the contents of their segment 
registers. More segments can be made available by loading their segment selectors into - 
these registers during program execution. 


Every segment register has a “visible” part and an “invisible” part, as shown in 
Figure 5-6. There are forms of the MOV instruction to load the visible part of these 
segment registers. The invisible part is loaded by the processor. 


The operations which load these registers are instructions for application programs 
(described in Chapter 3). There are two kinds of these instructions: 


1. Direct load instructions such as the MOV, POP, LDS, LSS, LGS, and LFS instruc- 
tions. These instructions explicitly reference the segment registers. 


2. Implied load instructions such as the far pointer versions of the CALL and JMP 
instructions. These instructions change the contents of the CS register as an inciden- 
tal part of their function. 


When these instructions are used, the visible part of the segment register is loaded with 
a segment selector. The processor automatically fetches the base address, limit, type, and 
other information from the descriptor table and loads the invisible part of the segment 
register. 


Because most instructions refer to segments whose selectors already have been loaded 


into segment registers, the processor can add the eee -address olset to the segment 
base address with no penOrmauce penalty. | 
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Figure 5-4. TI Bit Selects Descriptor Table 
5.2.2 Segment Selectors 


A segment selector points to the information which defines a segment, called a segment 
descriptor. A program may have more segments than the six whose segment selectors 
occupy segment registers. When this is true, the program uses forms of the MOV 
instruction to change the contents of these registers when it needs to access a new 
segment. 


A segment selector identifies a segment descriptor by specifying a descriptor table and a 
descriptor within that table. Segment selectors are visible to application programs as a 
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Figure 5-5. Segment Translation 
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Figure 5-6. Segment Registers 
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part of a pointer variable, but the values of selectors are usually assigned or modified by 
link editors or linking loaders, not application programs. Figure 5-7 shows the format of 
a segment selector. 


Index: Selects one of 8192 descriptors in a descriptor table. The processor multiplies the 
index value by 8 (the number of bytes in a segment descriptor) and adds the result to the 
base address of the descriptor table (from the GDTR or LDTR register). 


Table Indicator bit: Specifies the descriptor table to use. A clear bit selects the GDT; a 
set bit selects the current LDT. : 


Requester Privilege Level: When this field contains a privilege level having a greater 
value (i.e., less privileged) than the program, it overrides the program’s privilege level. 
When a program uses a less privileged segment selector, memory accesses take place at 
the lesser privilege level. This is used to guard against a security violation in which a less 
privileged program uses a more privileged program to access protected data. 
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(00 = MOST PRIVILEGED, 11 = LEAST) 
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Figure 5-7. Segment Selector 


For example, system utilities or device drivers must run with a high level of privilege in 
order to access protected facilities such as the control registers of peripheral interfaces. 
But they must not interfere with other protected facilities, even if a request to do so is 
received from a less privileged program. If a program requested reading a sector of disk 
into memory occupied by a more privileged program, such as the operating system, the 
RPL can be used to generate a general-protection exception when the less privileged 
segment selector is used. This exception occurs even though the program using the seg- 
ment selector would have a sufficient privilege level to perform the operation on its own. 


Because the first entry of the GDT is not used by the processor, a selector which has an 
index of 0 and a table indicator of 0 (i.e., a selector which points to the first entry of the 
GDT) is used as a “null selector.” The processor does not generate an exception when a 
segment register (other than the CS or SS registers) is loaded with a null selector. It 
does, however, generate an exception when a segment register holding a null selector is 
used to access memory. This feature can be used to initialize unused segment registers. 


5.2.3 Segment Descriptors 


A segment descriptor is a data structure in memory which provides the processor with 
the size and location of a segment, as well as control and status information. Descriptors 
typically are created by compilers, linkers, loaders, or the operating system, but not 
application programs. Figure 5-8 illustrates the two general descriptor formats. The sys- 
tem segment descriptor is described more fully in Chapter 6. All types of seement 
GC SenDLOrS take one of these formats. 


Base: Defines the location of the segment within the 4 gigabyte physical address space. 
The processor puts together the three base address fields to form a single 32-bit value. 
Segment base values should be aligned to 16 byte boundaries to allow programs to 
maximize performance by aligning code/data on 16 byte boundaries. 


Granularity bit: Turns on scaling of the Limit field by a factor of 4096 (2!2). When the 
bit is clear, the segment limit is interpreted in units of one byte; when set, the segment 


limit is interpreted in units of 4K bytes (one page). Note that the twelve least significant 
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Figure 5-8. Segment Descriptors 


bits of the address are not tested when scaling is used. For example, a limit of 0 with the 
Granularity bit set results in valid offsets from 0 to 4095. Also note that only the Limit 
field is affected. The base address remains byte granular. 


Limit: Defines the size of the segment. The processor puts together the two limit fields 
to form a 20-bit value. The processor interprets the limit in one of two ways, depending 
on the setting of the Granularity bit: | 


1. If the Granularity bit is clear, the Limit has. a value from 1 byte to 1 megabyte, in 
increments of 1 byte. 


2. If the Granularity bit is set, the Limit has a value from 4 kilobytes to 4 gigabytes, in 
increments of 4K bytes. 
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For most segments, a logical address may have an offset ranging from 0 to the limit. 
Other offsets generate exceptions. Expand-down segments reverse the sense of the Limit 
field; they may be addressed with any offset except those from 0 to the limit (see the 
Type field, below). This is done to allow segments to be created in which increasing the 
value held in the Limit field allocates new memory at the bottom of the segment’s 
address space, rather than at the top. Expand-down segments are intended to hold 
stacks, but it is not necessary to use them. If a stack is going to be put in a segment which 
does not need to change size, it can be a normal data segment. 


S bit: Determines whether a given segment is a system segment or a code or data seg- 
ment. If the S bit is set, then the segment is either a code or a data segment. If it is clear, 
then the segment is a system segment. 


D bit: The code segement D bit indicates the default length for operands and effective 
addresses. If the D bit is set, then 32-bit operands and 32-bit effective addressing modes 
are assumed. If it is clear, then 16-bit operands and addressing modes are assumed. 


Type: The interpretation of this field depends on whether the segment descriptor is for 
an application segment or a system segment. System segments have a slightly different 
descriptor format, discussed in Chapter 6. The Type field of a memory descriptor spec- 
ifies the kind of access which may be made to a | Segment, and its direction of growth (see 
Table 5-1). , 


Table 5-1. Application Segment Types 


Type — | 


Read-Only 

Read-Only, accessed 

Read/Write 

Read/Write, accessed 

Read-Only, expand-down 
Read-Only, expand-down, accessed 
Read/Write, expand-down 
Read/Write, expand-down, accessed 


Type | 


Execute-Only | 

Execute-Only, accessed ~ 

Execute/Read 

Execute/Read, accessed 

Execute-Only, conforming 

Execute-Only, conforming, accessed 
Execute/Read-Only, conforming 
Execute/Read-Only, conforming, accessed 
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For data segments, the three lowest bits of the type field can be interpreted as expand- 
down (E), write enable (W), and accessed (A). For code segments, the three lowest bits 
of the type field can be interpreted as conforming (O), read enable (R), and 
accessed (A). 


Data segments can be read-only or read/write. Stack segments are data segments which 
must be read/write. Loading the SS register with a segment selector for any other type of 
segment generates a general-protection exception. If the stack segment needs to be able 
to change size, it can be an expand- -down data segment. The meaning of the segment 
limit is reversed for an expand-down segment. While an offset in the range from 0 to the 
segment limit is valid for other kinds of segments (outside this range a general- 
protection exception is generated), in an expand-down segment these offsets are the 
ones which generate exceptions. The valid offsets in an expand-down segment are those 
_ which generate exceptions in the other kinds of segments. Expand-up segments must be 

addressed by offsets which are equal or less than the segment limit. Offsets into expand- 
down segments always must be greater than the segment limit. This interpretation of the 
segment limit causes memory space to be allocated at the bottom of the segment when 
the segment limit is decreased, which is correct for stack segments because they grow 
toward lower addresses. If the stack is given a segment which does not change size, it 
does not need to be an expand-down segment. 7 


Code segments can be execute- only or execute/read. An execute/read segment might be 
used, for example, when constants have been placed with instruction code in a ROM. In 
this case, the constants can be read either by using an instruction with a CS override 
prefix or by placing a segment selector for the code segment in a segment register for a 
data segment. 


Code segments can be either conforming or non-conforming. A transfer of execution 
into a more privileged conforming segment keeps the current privilege level. A transfer 
into a non-conforming segment at a different privilege level results in a general- 
protection exception, unless a task gate is used (see Chapter 6 for a discussion of multi- 
tasking). System utilities which do not access protected facilities, such as data-conversion 
functions (e.g., EBCDIC/ASCII translation, Huffman encoding/decoding, math library) 
and some types of exceptions (e.g., Divide Error, INTO-detected overflow, and BOUND 
range exceeded) may be loaded in conforming code segments. 


The Type field also reports whether the segment has been accessed. Segment descriptors 
initially report a segment as having been accessed. If the Type field then is set to a value 
for a segment which has not been accessed, the processor restores the value if the seg- 
ment is accessed. By clearing and testing the low bit of the Type field, software can 
monitor segment usage (the low bit of the Type field also is called the Accessed bit). 


For example, a program development system might clear all of the Accessed bits for the 
segments of an application. If the application crashes, the states of these bits can be used 
to generate a map of all the segments accessed by the application. Unlike the break- 
points provided by the debugging mechanism (Chapter 11), the usage information 
applies to segments rather than physical addresses. . 
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The processor may update the Type field when a segment is accessed, even if the access 
is a read cycle. If the descriptor tables have been put in ROM, it may be necessary for 
hardware to prevent the ROM from being enabled onto the data bus during a write 
cycle. It also may be necessary to return the READY#¥ signal to the processor when a 
write cycle to ROM occurs, otherwise the cycle does not terminate. These features of the 
hardware design are necessary for using ROM-based descriptor tables with the Intel386 — 
DX processor, which always sets the Accessed bit when a segment descriptor is loaded. 
The Intel486 processor, however, only sets the Accessed bit if it is not already set. Writes 
to descriptor tables in ROM can be avoided by setting the Accessed bits in every 
descriptor. | 


DPL (Descriptor Privilege Level): Defines the privilege level of the segment. This is used 
to control access to the segment, using the protection mechanism described in Chapter 6. 


Segment-Present bit: If this bit is clear, the processor generates a segment-not-present 
exception when a selector for the descriptor is loaded into a segment register. This is 
used to detect access to segments which have become unavailable. A segment can 
become unavailable when the system needs to create free memory. Items in memory, 
such as character fonts or device drivers, which currently are not being used are 
de-allocated. An item is de-allocated by marking the segment “not present” (this is done 
by clearing the Segment-Present bit). The memory occupied by the segment then can be 
put to another use. The next time the de-allocated item is needed, the segment-not- 
present exception will indicate the segment needs to be loaded into memory. When this 
kind of memory management is provided in a manner invisible to application programs, 
it is called virtual memory. A system may maintain a total amount of virtual memory far 
larger than physical memory by keeping only a few segments present in physical memory 
at any one time. _— 


Figure 5-9 shows:the format of a descriptor when the Segment-Present bit is clear. When 
this bit is clear, the operating system is free to use the locations marked Available to 
store its own data, such as information regarding the whereabouts of the missing 
segment. | | p* oe 
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Figure 5-9. Segment Descriptor (Segment Not Present) 
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5.2.4 Segment Descriptor Tables 


A segment descriptor table is an array of segment descriptors. There are two kinds of 
descriptor tables: 


e The global descriptor table (GDT) 
e The local descriptor tables (LDT) 


There is one GDT for all tasks, and an LDT for each task being run. A descriptor table 
is an array of segment descriptors, as shown in Figure 5-10. A descriptor table is variable © 
in length and may contain up to 8192 (2'°) descriptors. The first descriptor in the GDT 
is not used by the processor. A segment selector to this “null descriptor” does not 
generate an exception when loaded into a segment register, but it always generates an 
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Figure 5-10. Descriptor Tables 
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exception when an attempt is made to access memory using the descriptor. By initializing 
the segment registers with this segment selector, accidental relerence to unused premicnt 
registers can be guaranteed to generate an exception. 


5.2.5 Descriptor Table Base Registers 


The processor finds the global descriptor table (GDT) and interrupt descriptor table 
(IDT) using the GDTR and IDTR registers. These registers hold 32-bit base addresses 
for tables in the linear address space. They also hold 16-bit limit values for the size of 
these tables. When the registers are loaded or stored, a 48-bit “pseudo-descriptor”’ is 
accessed in memory, as shown in Figure 5-11. The GDT and IDT should be aligned on a 
16 byte boundary to maximize performance due to cache line fills. 


The limit value is expressed in bytes. As with segmer ts, the limit value is added to the 
base address to get the address of the last valid byte. A limit value of 0 results in exactly 
one valid byte. Because segment descriptors are always eight bytes, the limit should 
always be one less than an integral multiple of eight (i.e., 8N — 1). The LGDT and 
SGDT instructions read and write the GDTR register; the LIDT and SIDT instructions | 
read and write the IDTR register. — 


A third dessin vehi is the local descriptor table (LDT). It is identified using a 16-bit 
segment selector held in the LDTR register. The LLDT and SLDT instructions read and 
write the segment selector in the LDTR register. The LDTR register also holds the base. 
address and limit for the LDT, but these are loaded automatically by the processor from 
the segment descriptor for the LDT. The LDT should be aligned on a 16 byte boundary 
to maximize performance due to cache line fills. 


Alignment check faults may be sone by storing a pseudo-descriptor in user mode 
(privilege level 3). User-mode programs normally do not store pseudo-descriptors, but 
the possibility of generating an alignment check fault in this way can be avoided by 
placing the pseudo-descriptor at an odd word address (i.e., an address which is 2 MOD 
4). This causes the processor to store an aligned word, followed by an aligned 
doubleword. | 
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Figure 5-11. Pseudo-Descriptor Format 
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5.3 Page Translation 


A linear address is a 32-bit address into a uniform, unsegmented address space. This 
address space may be a large physical address space (i.e., an address space composed of 
4 gigabytes of RAM), or paging can be used to simulate this address space using a small 
amount of RAM and some disk storage. When paging is used, a linear address is trans- 
lated into its corresponding physical address, or an exception is generated. The excep- 
tion gives the operating system a chance to read the page from disk: (perhaps sending a 
different page out to disk in the process), then restart the instruction which generated 
the exception. 


Paging is different from segmentation through its use of small, fixed-size pages. Unlike 
segments, which usually are the same size as the data structures they hold, on the 
Intel486 processor, pages are always 4K bytes. If segmentation is the only form of 
address translation which is used, a data structure which is present in physical memory 
will have all of its parts in memory. If paging is used, a data structure may be partly in 
memory and partly in disk storage. 


The information which maps linear addresses into physical addresses and exceptions is 
held in data structures in memory called page tables. As with segmentation, this informa- 
tion is cached in processor registers to minimize the number of bus cycles required for 
address translation. Unlike segmentation, these processor registers are completely invis- 
ible to application programs. (For testing purposes, these registers are visible to pro- 
grams running with maximum privileges; see eae 10 for details.) 


The paging mechanism treats the 32-bit linear address as having three parts, two 10-bit 
indexes into the page tables and a 12-bit offset into the page addressed by the page 
tables. Because both the virtual pages in the linear address space and the physical pages 
of memory are aligned to 4K-byte page boundaries, there is no need to modify the low 12 
bits of the address. These 12 bits pass straight through the paging hardware, whether 
paging is enabled or not. Note that this is different from segmentation, because segments 
can start at any byte address. 


The upper 20 bits of the address are used to index into the page tables. If every page in 
the linear address space were mapped by a single page table in RAM, 4 megabytes 
would be needed. This is not done. Instead, two levels of page tables are used. The top 
level page table is called the page directory. It maps the upper 10 bits of the linear 
address to the second level of page tables. The second level of page tables maps the 
middle 10 bits of the linear address to the base address of a page in physical memory 
(called a page frame address). 


An exception may be generated based on the contents of the page table or the page 
directory. An exception gives the operating system a chance to bring in a page table from 
disk storage. By allowing the second-level page tables to be sent to disk, the paging 
mechanism can support mapping of the entire linear address space using only a few 
pages in memory. 
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The CR3 register holds the page frame address of the page directory. For this reason, it 
also is called the page directory base register or PDBR. The upper 10 bits of the linear 
address are scaled by four (the number of bytes in a page table entry) and added to the 
value in the PDBR register to get the physical address of an entry in the page directory. 
Because the page frame address is always clear in its lowest 12 bits, this addition is 
performed by concatenation (replacement of the low 12 bits with the scaled index). 


When the entry in the page directory is accessed, a number of checks are | 
Exceptions may be generated if the page is protected or is not present in memory. If no 
exception is generated, the upper 20 bits of the page table entry are used as the page 
frame address of a second-level page table. The middle 10 bits of the linear address are 
scaled by four (again, the size of a page table entry) and concatenated with the page 
frame address to get the physical address of an entry in the second-level page table. 


Again, access checks are performed, and exceptions may be generated. If no exception 
occurs, the upper 20 bits of the second-level page table entry are concatenated with the 
lowest 12 bits of the linear address to form the physical address of the operand (data) in 
memory. | 


Although this process may seem complex, it all takes place with very little overhead. The 
processor has a cache for page table entries called the translation lookaside buffer 
(TLB). The TLB satisfies most requests for reading the page tables. Extra bus cycles 
occur only when a new page is accessed. The page size (4K bytes) is large enough so that 
very few bus cycles are made to the page tables, compared to the number of bus cycles 
made to instructions and data. At the same time, the page size is small enough to make 
efficient use of memory. (No matter how small a data structure is, it occupies at least 
one page of money: ) 


5.3.1 PG Bit Enables Paging 


If paging is enabled, a second stage of address translation is used to generate the phys- 
ical address from the linear address. If paging is not enabled, the linear address 1 is used 
as the physical address. 


_ Paging is enabled when bit 31 (the PG bit) of the CRO register is set. This bit usually is 
set by the operating system during software initialization. The PG bit must be set if the 
operating system is running more than one program in virtual-8086 mode: or it demand- 
paged virtual memory is used. | ) 


5.3.2 Linear Address 
Figure 5-12 shows the format of a linear address. 
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Figure 5-12. Format of a Linear Address 
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_ Figure 5-13. Page Translation 


Figure 5-13 shows how the processor translates the DIRECTORY, TABLE, and OFF- 
SET fields of a linear address into the physical address using two levels of page tables. 
The paging mechanism uses the DIRECTORY field as an index into a page directory, 
the TABLE field as an index into the page table determined by the page directory, and 
the OFFSET field to address an operand within the page specified by the page table. 


5.3.3 Page Tables 


A page table is an array of 32-bit entries. A page table is itself a page, and contains 4096 
bytes of memory or, at most, 1K 32-bit entries. All pages, including page directories and 
page tables, are aligned to 4K-byte boundaries. 


Two levels of tables are used to address a page of memory. The top level is called the 
page directory. It addresses up to 1K page tables in the second level. A page table in the 
second level addresses up to 1K pages in physical memory. All the tables addressed by 
one page directory, therefore, can address 1M or 2”° pages. Because each page contains 
4K or 2'* bytes, the tables of one page directory can span the entire linear address space 

of the Intel486 processor (2°° x 2'* = 2°). | 
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The physical address of the current page directory is stored in the CR3 register, also 
called the page directory base register (PDBR). Memory management software has the 
option of using one page directory for all tasks, one page directory for each task, or some 
combination of the two. See Chapter 10 for information on initialization of the CR3 
register. See Chapter 7 for how the contents of the CR3 register can change for each 
task. 


5.3.4 Page-Table Entries 


_ Entries in either level of page tables have the same format, except that the page direc- 
tory has no Dirty bit. Figure 5-14 illustrates this format. The bit position of the D bit is 
reserved for future Intel use. 


5.3.4.1 PAGE FRAME ADDRESS 


The page frame address is the base address of a page. In a page table entry, the upper 
20 bits are used to specify a page frame address, and the lowest 12 bits specify control 
and status bits for the page. In a page directory, the page frame address is the address of 
a page table. In a second-level page table, the page frame address is the address of a 
page containing instructions or data. 


5.3.4.2 PRESENT BIT 


The Present bit indicates whether the page frame address in a page table entry maps to 
a page in physical memory. When set, the page is in memory. | 


When the Present bit is clear, the page is not in memory, and the rest of the page table 
entry is available for the operating system, for example, to store information regarding 
the whereabouts of the missing page. vente 5-15 illustrates the oe of a page table 
entry when the Present bit 1 is clear. 
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Figure 5-14. Format of a Page Table Entry 
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Figure 5-15. Format of a Page Table Entry for a Not-Present Page 
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If the Present bit is clear in either level of page tables when an attempt is made to use a 
_ page table entry for address translation, a page-fault exception is generated. In systems 
which support demand-paged virtual memory, the following sequence of events then 
occurs: 


1. The operating system copies the page from disk storage into physical memory. 


2. The operating system loads the page frame address into the page table entry and 
sets its Present bit. Other bits, such as the R/W bit, may be set, too. | 


3. Because a copy of the old page table entry may still exist in the translation lookaside 
buffer (TLB), the operating system empties it. See Section 5.3.5 for a discussion of 
the TLB and how to empty it. 


4. The program which caused the exception is then restarted. 


Since there is no Present bit in CR3 to indicate when the page directory is not resident 
in memory, the page directory pomteds to by CR3 should always be present in physical 
memory. | 


5.3.4.3 ACCESSED AND DIRTY BITS 


These bits provide data about page usage in both levels of page tables. The Accessed bit 
is used to report read or write access to a page or second-level page table. The Dirty bit 
is used to report write access to a page. 


With the exception of the Dirty bit in a page directory entry, these bits are set by the 
hardware; however, the processor does not clear either of these bits. The processor sets 
the Accessed bits in both levels of page tables before a read or write operation to a page. 
The processor sets the Dirty bit in the second-level page table before a write operation 
to an address mapped by that page table entry. The Dirty bit in directory entries is 
undefined. 


The operating system may use the Accessed bit when it needs to create some free mem- 
ory by sending a page or second-level page table to disk storage. By periodically clearing 
the Accessed bits in the page tables, it can see which pages have been used recently. 
Pages which have not been used are candidates for sending out to disk. 
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The operating system may use the Dirty bit when a page is sent back to disk. By clearing 
the Dirty bit when the page is brought into memory, the operating system can see if it 
has received any write access. If there is a copy of the page on disk and the copy in 
memory has not received any writes, there is no need to update disk from micmoly: 


See Chanter 13 for how the Intel486 processor updates the Accessed and Dirty bits in . 
multiprocessor systems. | | 


5.3.4.4 READ/WRITE AND USER/SUPERVISOR BITS 


The Read/Write and User/Supervisor bits are used for protection checks applied to 
pages, which the processor performs at the same time as address translation. See Chap- 
ter 6 for more information on protection. 


5.3.4.5 PAGE-LEVEL CACHE CONTROL BITS 


The PCD and PWT bits are used for page-level cache management. Software can control 
the caching of individual pages or second-level page tables using these . bits. See 
Chapter 12 for more information on caching. 


5.3.5 Translation Lookaside Buffer 


The processor stores the most recently used page table entries in an on-chip cache called 
the translation lookaside buffer or TLB. Most paging is performed using the contents of 
the TLB. Bus cycles to the page tables are performed only when a new page is used. 


The TLB is invisible to application programs, but not to operating systems. Operating- 
system programmers must flush the TLB (dispose of its page table entries) when entries 
in the page tables are changed. If this is not done, old data which has not received the 
changes might get used for address translation. A change to an entry for a page which is 
not present in memory does not require flushing the TLB, because entries for not- 
present pages are not cached. 


The TLB is flushed when the CR3 register is loaded. The CR3 acetet can be loaded in 
either of two ways: | 


1. Explicit loading using MOV sounaeaans such as: 
NOV CR3, EAX | 


2. Implicit loading by a task switch which changes the contents of the CR3 register. 
(See ree 7 for more information on task pce , 


An individual entry in the TLB can be flushed using an INVLPG instruction. ‘This is 
useful when the mapping of an individual page is changed. | | | 


5-22 


intel r MEMORY MANAGEMENT 


5.4 COMBINING SEGMENT AND PAGE TRANSLATION 


Figure 5-16 combines Figure 5-5 and Figure 5-13 to summarize both stages of translation 
from a logical address to a physical address when paging is enabled. Options available in 
both stages of address translation can be used to support several different styles of 
memory management. 


5.4.1 Flat Model 


When the Intel486 processor is used to run software written without segments, it may be 
desirable to remove the segmentation features of the Intel486 processor. The Intel486 
processor does not have a mode bit for disabling segmentation, but the same effect can 
be achieved by mapping the stack, code, and data spaces to the same range of linear 
addresses. The 32-bit offsets used by Intel486 processor instructions can cover the entire 
linear address space. 


When paging is used, the segments can be mapped to the entire linear address space. If 
more than one program is being run at the same time, the paging mechanism can be 
used to give each program a separate address space. 


16 0 32 0 
ADDRES: Ew = LORrSEY 2 | 
ADDRESS SELECTOR | OFFSET 


DESCIPTOR TABLE 


SEGMENT 
~ {DESCRIPTOR 


LINEAR PAGE FRAME 
ADDRESS 


OPERAND 


PAGE TABLE 


PG TBL ENTRY 
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Figure 5-16. Combined Segment and Page Address Translation 
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5.4.2 Segments Spanning Several Pages 


The architecture allows segments which are larger than the size of a page (4K bytes). For 
example, a large data structure may span thousands of pages. If paging were not used, 
access to any part of the data structure would require the entire data structure to be 
_ present in physical memory. With paging, only the page containing the part being 
accessed needs to be in memory. 


5.4.3 Pages Spanning Several Segments 


Segments also may be smaller than the size of a page. If one of thése segments is placed 
in a page which is not shared with another segment, the extra memory is wasted. For 
example, a small data structure, such as a 1-byte semaphore, occupies 4K bytes if it is 
placed in a page by itself. If many semaphores are used, it is more efficient to pack them 
into a single page. 


5. 4.4 Non ANgned Page and Segment Boundaries 


The architecture does not enforce any correspondence between the Boundalies of pages 
and segments. A page may contain the end of one segment and the beginning of another. 
Likewise, a segment may contain the end of one page and the beginning of another. 


5.4.5 Aligned Page and Segment Boundaries 


Memory-management ee may be ie and more efficient if it enforces some 
alignment between page and segment boundaries. For example, if a segment which may 
fit in one page is placed in two pages, there may be twice as much paging overhead to 
support access to that segment. | 


5.4.6 Page-Table Per Segment 


An approach to combining paging and segmentation which simplifies memory- 

management software is to give each segment its own page table, as shown in 

Figure 5-17. This gives the segment a single entry in the page directory which provides 
the access control information for paging the segment. 
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Figure 5-17. Each Segment Can Have Its Own Page Table 
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CHAPTER 6 
PROTECTION 


Protection is necessary for reliable multitasking. Protection can be used to prevent tasks 
from interfering with each other. For example, protection can keep one task from over- 
writing the instructions or data of another task. 


During program development, the protection mechanism can give a clearer picture of 
program bugs. When a program makes an unexpected reference to the wrong memory 
space, the protection mechanism can block the event and report its occurrence. 


In end-user systems, the protection mechanism can guard against the possibility of soft- 
ware failures caused by undetected program bugs. If a program fails, its effects can be. 
confined to a limited domain. The operating system can be protected against damage, so 
diagnostic information can be recorded and automatic recovery may be attempted. 


Protection may be applied to segments and pages. Two bits in a processor register define. 
the privilege level of the program currently running (called the current privilege level or 
CPL). The CPL is checked during address translation for segmentation and paging. 


Although there is no control register or mode bit for turning off the protection mecha- 
nism, the same effect can be achieved by assigning privilege level 0 (the highest level of 
privilege) to all segment selectors, segment descriptors, and page table entries. 


6.1 SEGMENT-LEVEL PROTECTION 


Protection provides the ability to limit the amount of interference a malfunctioning pro- 
gram can inflict on other programs and their data. Protection is a valuable aid in soft- 
ware development because it allows software tools (operating system, debugger, etc.) to 
survive in memory undamaged. When an application program fails, the software is avail-. 
able to report diagnostic messages, and the debugger is available for post-mortem anal- 
ysis of memory and registers. In production, protection can make software more reliable 
by giving the system an opportunity to initiate recovery procedures. . 


Each memory reference is checked to verify that it satisfies the protection checks. All 
checks are made before the memory cycle is started; any violation prevents the cycle 
from starting and results in an exception. Because checks are performed in parallel with 
address translation, there is no performance penalty. There are five protection checks: 


. Type check 
Limit check 


Restriction of addressable domain 


Restriction of procedure entry points 


A RW N 


Restriction of instruction set | 
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A protection violation results in an exception. See Chapter 9 for an explanation of the 
exception mechanism. This chapter describes the protection violations which lead to 
exceptions. 


6.2 SEGMENT DESCRIPTORS AND PROTECTION 


Figure 6-1 shows the fields of a segment descriptor which are used by the protection 
mechanism. Individual bits in the Type field also are referred to by the names of their 
functions. , 


Protection parameters are placed in the descriptor when it is created. In general, appli- 
cation programmers do not need to be concerned about protection parameters. 


DATA SEGMENT DESCRIPTOR 


BASE 31:24 MIT BASE 23:16 
: . Ps L : 


SEGMENT BASE 15:00 SEGMENT LIMIT 15:00 


CODE SEGMENT DESCRIPTOR 
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ACCESSED 
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240486i6-10f1 


Figure 6-1. Descriptor Fields Used for Protection (Part 1 of 2) 
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Figure 6-1. Descriptor Fields Used for Protection (Part 2 of 2) 


When a program loads a segment selector into a segment register, the processor loads 
both the base address of the segment and the protection information. The invisible part 
of each segment register has storage for the base, limit, type, and privilege level. While 
this information is resident in the segment register, subsequent protection checks on the 
same segment can be performed with no performance penalty. 


6.2.1 Type Checking 


In addition to the descriptors for application code and data segments, the Intel486 pro- 
cessor has descriptors for system segments and gates. These are data structures used for 
managing tasks (Chapter 7) and exceptions and interrupts (Chapter 9). Table 6-1 lists all 
the types defined for system segments and gates. Note that not all descriptors define 
segments; gate descriptors hold pointers to procedure entry points. 


The Type fields of code and data segment descriptors include bits which further define 
the purpose of the segment (see Figure 6-1): 


e The Writable bit in a data-segment descriptor controls whether programs can write to 
the segment. 


e The Readable bit in an executable-segment descriptor specifies whether programs 
can read from the segment (e.g., to access constants stored in the code space). - 
readable, executable segment may be read in two ways: 


1. With the CS register, by using a CS override prefix. 


2. By loading a selector for the descriptor into a data-segment register (the DS, ES, 
FS, or GS registers). 
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Table 6-1. System Segment and Gate Types 


reserved 

Available 80286 TSS 
LDT , 

Busy 80286 TSS. 
Call.Gate 

Task Gate : 
80286 Interrupt Gate . 


80286 Trap Gate 
reserved _ 

_ Available Intel486™ CPU TSS 
reserved | 
Busy Intel486 CPU TSS 
Intel486 CPU Call Gate 

reserved ' | 
Intel486 CPU Interrupt Gate 
Intel486 CPU Trap Gate 


Type checking can be used to detect programming errors which would attempt to use 
segments in ways not intended by the programmer: The Processor examines type infor- 
mation on two kinds of occasions: | 


i; When a selector for a cee ee is loaded into a segment register. Certain segment 
registers can contain only certain descriptor types; for example: 


e The CS register only can be loaded with a selector for an executable segment. 


e Selectors of executable segments which are not readable cannot be aes into 
data-segment registers. 7 


e Only selectors of writable data ee can be loaded into the SS register 


2 Certain segments can be acca by instructions only in certain predetined mays for 
: example: — | , 


-e No instruction may write into an executable segment. 
e No instruction may write into a data segment if the writable bit is not set. 
---@ No instruction may read an executable segment unless the readable bit is set. — 


6.2.2 Limit Checking 


The Limit field of a segment descriptor prevents programs from addressing outside the - 
segment. The effective value of the limit depends on the setting of the G bit (Granularity 
bit). For data segments, the limit also depends on the E bit (Expansion Direction bit). 
The E bit is.a designation for one bit of the Type field, when a to gate semen 
descriptors. | 
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When the G bit is clear, the limit is the value of the 20-bit Limit field in the descriptor. 
In this case, the limit ranges from 0 to OFFFFFH (27° — 1 or 1 megabyte). When the 
G bit is set, the processor scales the value in the Limit field by a factor of 2’*. In this case 
the limit ranges from OFFFH (2’* — 1 or 4K bytes) to OFFFFFFFFH (27 — 1 or 
4 gigabytes). Note that when scaling is used, the lower twelve bits of the address are not 
checked against the limit; when the G bit is set and the segment limit is 0, valid offsets 
within the segment are 0 through 4095. 


For all types of segments except expand-down data segments (stack segments), the value 
of the limit is one less than the size, in bytes, of the segment. The processor causes a 
general-protection exception in any of these cases: ; 


e Attempt to access a memory byte at an address > limit 
e Attempt to access a memory word at an address > (limit — 1) 


e Attempt to access a memory doubleword at an address > (limit — 3) 


For expand-down data segments, the limit has the same function but is interpreted 
differently. In these cases the range of valid offsets is from (limit + 1) to 2°* —1 if 
Bbit=1 and 2'°-1 if Bbit=0. An expand-down segment has maximum size when the 
segment limit is 0. | ie 4 


Limit checking catches programming errors such as runaway subscripts and invalid 
pointer calculations. These errors are detected when they occur, so identification of the 
cause is easier. Without limit checking, these errors could overwrite critical memory in 
another module, and the existence of these errors would not be discovered until the 
damaged module crashed, an event which may occur long after the actual error. Protec- 
tion can block these errors and report their source. 7 


In addition to limit checking on segments, there is limit checking on the descriptor 
tables. The GDTR and IDTR registers contain a 16-bit limit value. It is used by the 
processor to prevent programs from selecting a segment descriptor outside the descrip- 
tor table. The limit of a descriptor table identifies the last valid byte of the table. 
Because each descriptor is eight bytes long, a table which contains up to N descriptors * 
should have a limit of 8N — 1. 


A descriptor may be given a zero value. This refers to the first descriptor in the GDT, 
which is not used. Although this descriptor may be loaded into a segment register, any 
attempt to reference memory using this descriptor will generate a general-protection 
exception. | 7 | : 


6.2.3 Privilege Levels 


The protection mechanism recognizes four privilege levels, numbered from 0 to 3. The 
greater numbers mean lesser privileges. If all other protection checks are satisfied, a 
general-protection exception is generated if a program attempts to access a segment 
using a less privileged level (greater privilege number) than that applied to the segment. 
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Although no control register or mode bit is provided for turning off the protection — 
mechanism, the same effect can be achieved by assigning all privilege levels the value of 
0. (The PE bit in the CRO register is not an enabling bit for. the protection mechanism 
alone; it is used to enable “protected mode,” the mode of program execution in which 
the full 32-bit architecture is available. When protected mode is disabled, the processor 
operates in “real-address mode,” where it appears as a fast, enhanced 8086 pe) 


Privilege levels can be used to improve the reliability of sneering systems. By giving the 
operating system the highest privilege level, it is protected from damage by bugs in other 
programs. If a program crashes, the operating system has a chance to generate . a \ diag- 
nostic message and attempt recovery procedures. 


Another level of privilege can be established for other parts of the system software, such 
as the programs which handle peripheral devices, called device drivers. If a device driver 
crashes, the operating system should be able to report a diagnostic message, so it makes 
sense to protect the operating system against bugs in device drivers. A device driver, 
however, may service an important peripheral such as a disk drive. If the application 
program crashed, the device driver should not corrupt the directory structure of the disk, 
so it makes sense to protect device drivers against bugs in applications. Device drivers - 
should be given an intermediate privilege level between the operating system and the 
application programs. Application programs are given the lowest privilege level. 


Figure 6-2 shows how these levels of privilege can be interpreted as rings of protection. 
The center is for the segments containing the-most critical software, eas Pe kernel of 
an Opetahng system: Outer mee are for less critical software. a, i 


The following data structures contain privilege levels: 


e The lowest two bits of the CS segment register hold the current privilege level (CPL). 

_ This is the privilege level of the program being run. The lowest two bits of the SS 

register also hold a copy of the CPL. Normally, the CPL is equal to the privilege level 

_ of the code segment from which instructions are being fetched. The CPL changes 
~ when control is transferred to a code segment with a different privilege level. a 


© Segment descriptors contain a field called the sae ad eee tevel ae The , 
DPL is the privilege level applied toa segment. 


°. Segment éélectots contain.a field called the requestor pve level. (RPL ,; The RPL is is 
intended to represent the privilege level of the procedure which created the selector. 
If the RPL is a less privileged level than the CPL, it overrides the CPL. When a more 
privileged program receives a segment. selector from a less privileged program, a 
RPL causes the memory access to take place at the less privileged level. 


Privilege levels are checked when the:selector of a descriptor is loaded into a segment 
register. The checks used for data access differ from those used for transfers of execu- 
tion among executable segments; therefore, the two OPES of access are considered ae 
arately in the following sections. | | | iy tock | 
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Figure 6-2. Protection Rings 
6.3 RESTRICTING ACCESS TO DATA 


To address operands in memory, a segment selector for a data segment must be loaded | 
into a data-segment register (the DS, ES, FS, GS, or SS registers). The processor checks 
the. segment’s privilege levels. The check is performed when the segment selector is 
loaded. As Figure 6-3 shows, three different privilege levels enter into this WDE of priv- 
ilege check. 


The three privilege levels which are checked are: 


a ‘The CPL (current privilege level) of the program. This is held in the two least- 
significant bit positions of the CS register. 


2. The DPL (descriptor privilege level) of the segment descriptor of the segment con- 
taining the operand. , | 


3. The RPL (requestor’s privilege level) of the selector used to specify the segment 
- containing the operand. This is held in the two lowest bit positions of the segment 

register used to access the operand: (the SS, DS, ES, FS, or GS registers). If the 
_- operand is in the stack segment, the RPL is the same as the CPL. 
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Figure 6-3. Privilege Check for Data Access _ 


Instructions may load a segment register only if the DPL of the segment is the same ora 
less privileged level (greater privilege number) than the less privileged of the oie and 
the selector’s RPL. | 


The addressable domain of a task varies as its CPL changes. When the CPL is 0, data 
segments at all privilege levels are accessible; when the CPL is 1, only data segments at 
privilege levels 1 through 3 are accessible; when the CPL is 3, only data segments at 
privilege level 3 are accessible. 


6. S.- 1 Accessing Data in Code Segments 


It may be desirable to store ‘data i ina code segment, for eaniele: Shen both Gide and 
data are provided in ROM. Code segments may. legitimately hold constants; it is not 
possible to write to a segment: defined as a code segment, unless a data segment is 
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mapped to the same address space. The following methods of accessing data in code 
segments are possible: 


1. Load a data-segment register with a segment selector for a nonconforming, read- 
able, executable segment. 


2. Load a data-segment register with a segment selector for a conforming, readable, 
executable segment. 


3. Use a code-segment override prefix to read a readable, executable segment whose 
selector already is loaded in the CS register. 


The same rules for access to data segments apply to case 1. Case 2 is always valid 
because the privilege level of a code segment with a set Conforming bit is effectively the 
same as the CPL, regardless of its DPL. Case 3 is always valid because the DPL of Be 
code segment selected by the CS register is the CPL. 


6.4 RESTRICTING CONTROL TRANSFERS 


With the Intel486 processor, control transfers are provided by the JMP, CALL, RET, 
INT, and IRET instructions, as well as by the exception and interrupt mechanisms. 
Exceptions and interrupts are special cases discussed in Chapter 9. This chapter dis- 
cusses only the JMP, CALL, and RET instructions. 


The ‘“‘near” forms of the JMP, CALL, and RET instructions transfer program control 
within the current code segment, and therefore are subject only to limit checking. The 
processor checks that the destination of the JMP, CALL, or RET instruction does not 
exceed the limit of the current code segment. This limit 1s cached in the CS ECeISICr, te) 
protection checks for near transfers require no performance penalty. 


The operands of the “far” forms of the JMP and CALL instruction refer to other seg- 
ments, so the processor performs privilege checking. There are two ways a JMP or 
CALL instruction can refer to another segment: 


1. The operand selects the descriptor of another executable segment. 
2. The operand selects a call gate descriptor. This gated form of transfer i is discussed i in 
Chapter 7. 

As Figure 6-4 shows, two different privilege levels enter into a privilege check en a 
control transfer which does not use a call gate: | 

1. The CPL (current privilege level). 

2. The DPL of the descriptor of the destination code segment. 
Normally the CPL is equal to the DPL of the segment which the processor is currently 


executing. The CPL may, however, be greater (less privileged) than the DPL if the 
current code segment is a conforming segment (as indicated by the Type field of its 
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Figure 6-4. Privilege Check for Control Transfer Without Gate 


240486i6-4 


segment descriptor). A conforming segment runs at the privilege level of the calling 
procedure. The processor keeps a record of the CPL cached in the CS register; this value 
can be different from the DPL in the segment descriptor of the current code segment. 


The processor only permits a JMP or CALL instruction directly into another segment if 
one of the following privilege rules is satisfied: 


° The DPL of the segment is equal to the current CPL. 


e The segment is a conforming code segment, and its DPL i is less (more paivieged) than 
the current CPL. 


Conforming segments are used for programs, such as math libraries and some kinds of 
exception handlers, which support applications but do not require access to protected 
system facilities. When control is transferred to a conforming segment, the CPL does not 
change, even if the selector used to address the segment has a different RPL. This is the 
only condition in which the CPL may be different 1 from the DPL of the current pode 
segment. : | 


Most code segments are not conforming. For these segments, control can be transferred — 
without a gate only to other code segments at the same level of privilege. It is sometimes 
necessary, however, to transfer control to higher privilege levels. This is accomplished 
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with the CALL instruction using call-gate descriptors, which is explained in Chapter 7. 
The JMP instruction may never transfer control to a nonconforming segment whose 
DPL does not equal the CPL. 


6.5 GATE DESCRIPTORS 


To provide protection for control transfers among executable segments at different priv- 
ilege levels, the Intel486 processor uses gate descriptors. There are four kinds of gate 
descriptors: 


e Call gates 

e Trap gates 

e Interrupt gates 

e Task gates 

Task gates are used for task switching and are discussed in Chapter 7. Chapter 9 explains 
how trap gates and interrupt gates are used by exceptions and interrupts. This chapter is 
concerned only with call gates. Call gates are a form of protected control transfer. They 
are used for control transfers between different privilege levels. They only need to be 
used in systems in which more than one privilege level is used. Figure 6-5 illustrates the 
format of a call gate. 

A call gate has two main functions: 


1. To define an entry point of a procedure. 


2. To specify the privilege level required to enter a procedure. 


32-BIT CALL GATE 


OFFSET IN SEGMENT 31:16 


SEGMENT SELECTOR 


DESCRIPTOR PRIVILEGE LEVEL 
SEGMENT PRESENT 


240486i6-5 


Figure 6-5. Call Gate 
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Call gate descriptors are used by CALL and JUMP instructions in the.same manner as 
code segment descriptors. When the hardware recognizes that the segment selector for 
the destination refers to a gate descriptor, the operation of the instruction is determined 
by the contents of the call gate. A call gate descriptor may reside in the GDT or in an 
LDT, but not in the interrupt descriptor table (IDT). 


The selector and offset fields of a gate form a pointer to the entry point of a procedure. 
A call gate guarantees that all control transfers to other segments go to a valid entry 
point, rather than to the middle of a procedure (or worse, to the middle of an instruc- 
tion). The operand of the control transfer instruction is not the segment selector and 
offset within the segment to the procedure’s entry point. Instead, the segment selector 
points to a gate descriptor, and the offset is not used. Figure 6-6 shows this form of 
addressing. | , 


|~———CESTINATION ADDRESS >] 


15. 0... 31: 0- 


“[) SeLecToR | | OFFSET WITHIN SEGMENT - 


NOT USED 


DESCRIPTOR TABLE 


DP GATE 
DESCRIPTOR 


CODE SEGMENT 
DESCRIPTOR 


PROCEDURE ENTRY POINT 
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Figure 6-6. Call Gate Mechanism 
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As shown in Figure 6-7, four different privilege levels are used to check the validity of a 
control transfer through a call gate. 


The privilege levels checked during a transfer of execution through a call gate are: 


1. The CPL (current privilege level). 


2. The RPL (requestor’s privilege level) of the segment selector used to specify the call 
gate. | 


3. The DPL (descriptor privilege level) of the gate descriptor. 


4. The DPL of the segment descriptor of the destination code segment. 


The DPL field of the gate descriptor determines from which privilege levels the gate may 
be used. One code segment can have several procedures which are intended for use from 
different privilege levels. For example, an operating system may have some services 
which are intended to be used by both the operating system and application software, 
such as routines to handle character I/O, while other services may be intended only for 
use by operating system, such as routines which initialize device drivers. 


Gates can be used for control transfers to more privileged levels or to the same privilege 
level (though they are not necessary for transfers to the same level). Only CALL instruc- 
tions can use gates to transfer to more privileged levels. A JMP instruction may use a 
gate only to transfer control to a code segment with the same privilege level, or to a 
conforming code segment with the same or a more privileged level. 


For a JMP instruction to a nonconforming segment, both of the following privilege rules 
must be satisfied; otherwise, a general-protection exception is generated. 


MAX (CPL,RPL) < gate-DPL 
destination code segment DPL = CPL 


For a CALL instruction (or for a JMP instruction to a conforming segment), both of the 
following privilege rules must be satisfied; otherwise, a general-protection exception is 
generated. | : 


MAX (CPL,RPL) s gate DPL 
destination code segment DPL = CPL 


6.5.1 Stack Switching 


A procedure call to a more privileged level does the following: 
1. Changes the CPL. — 
2. Transfers control (execution). 


3. Switches stacks. 
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Figure 6-7. Privilege Check for Control Transfer with Call Gate 


6-14 


intel P PROTECTION 


All inner protection rings (privilege levels 0, 1, and 2), have their own stacks for receiv- 
ing calls from less privileged levels. If the caller were to provide the stack, and the stack 
was too small, the called procedure might crash as a result of insufficient stack space. 
Instead, less privileged programs are prevented from crashing more privileged programs 
by creating a new stack when a call is made to a more privileged level. The new stack is 
created, parameters are copied from the old stack, the contents of registers are saved, 
and execution proceeds normally. When the procedure returns, the contents of the saved 
registers restore the original stack. A complete description of the task switching mecha- 
nism is provided in Chapter 7. 


The processor finds the space to create new stacks using the task state segment (TSS), as 
shown in Figure 6-8. Each task has its own TSS. The TSS contains initial stack pointers 
for the inner protection rings. The operating system is responsible for creating each TSS 
and initializing its stack pointers. An initial stack pointer consists of a segment selector 
and an initial value for the ESP register (an initial offset into the segment). The initial 
stack pointers are strictly read-only values. The processor does not change them while 
the task runs. These stack pointers are used only to create new stacks when calls are 
made to more privileged levels. These stacks disappear when the called procedure 
returns. The next time the procedure is called, a new stack is created using the initial 
stack pointer. | 


32-BIT TASK STATE SEGMENT 


NOTE: ADDRESSES ARE IN HEXADECIMAL 
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Figure 6-8. Initial Stack Pointers ina TSS 
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When a call gate is used to change privilege levels, a new stack is created by loading an 
address from the TSS. The processor uses the DPL of the destination code segment (ae 
new a) to select ae initial stack pomicr nO: PHVICES level 0, 1, or 2. 


The DPL of the new stack segment must equal the new CPL; if fob a stack-fault excep- 
tion is generated. It is the responsibility of the operating system to create stacks and 
‘stack-segment descriptors for all privilege levels which are used. The stacks must be 
read/write as specified in the Type field of their segment descriptors. They must contain 
enough space, as specified in the Limit field, to hold the contents of the SS and ESP 
registers, the return address, and the peeuieiol and temporary variables ape by 
the called procedure. — 


As with calls within a privilege level, parameters for the procedure are placed on the 
stack. The parameters are copied to the new stack. The parameters can be accessed 
within the called procedure using the same relative addresses which would have been 
used if no stack switching had occurred. The count field of a call gate tells the processor 
how many doublewords (up to 31) to copy from the caller’s stack to the lk of the 
called procegure. If the count is 0, no parameters are: ope: 


If more than 31 doublewords of data need to be passed to the called procedure, one of 
the parameters can be a pointer to a data structure, or the saved contents of the SS and 
ESP registers may be used to access parameters in the old stack space. 


The processor performs the following s anaes. steps in executing a procedure call 
between privilege levels. : 


1. The stack of the called procedure is checked to make certain it is large enough to 
hold the parameters and the saved contents of registers; if not, a stack exception iS 
generated. 


2. The old contents of the SS and ESP registers are pushed onto the stack of the called 
procedure as two doublewords (the 16-bit SS register is zero-extended to 32 bits; the 
zero-extended upper word is Intel reserved; do not use). 


3. The parameters are copied from the stack of the caller to the stack of the called 
procedure. 


4, A pointer to the instruction after the CALL instruction (the old contents of the CS 
and EJP registers) is pushed onto the new stack. The contents of the SS and ESP 
registers after the call point to this return pointer on the stack. 


Figure 6-9 illustrates the stack frame before, during, and after a successful interlevel 
procedure call and return. 


The TSS does not have a stack pointer for a privilege level 3 stack, because a procedure 
at privilege level 3 cannot be called by a less privileged procedure. The stack for privilege 
level 3 is preserved by the contents of the SS and EIP pores oL have been saved on 
the stack of the privilege level called from level 3. 
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OLD STACK, NEW STACK, OLD STACK, 
BEFORE CALL: AFTER CALL, _ AFTER RETURN: 
BEFORE RETURN: 


OLD SS 
OLDESP 


OLD EIP 
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Figure 6-9. Stack Frame During Interlevel Call 


A call using a call gate does not check the values of the words copied onto the new stack. 
The called procedure should check each parameter for validity. A later section discusses 
how the ARPL, VERR, VERW, LSL, and LAR instructions can be used to check 
pointer values. 


6.5.2 Returning from a Procedure 


The “near” forms of the RET instruction only transfer control within the current code 
segment, therefore are subject only to limit checking. The offset to the instruction fol- 
lowing the CALL instruction is popped from the stack into the EIP register. The proces- 
sor checks that this offset does not exceed the limit of the current code segment. 


The “far” form of the RET instruction pops the return address which was pushed onto 
the stack by an earlier far CALL instruction. Under normal conditions, the return 
pointer is valid, because it was generated by a CALL or INT instruction. Nevertheless, 
_ the processor performs privilege checking because of the possibility that the current 
procedure altered the pointer or failed to maintain the stack properly. The RPL of the 
code-segment selector popped off the stack by the return instruction ous have the 
privilege level of the calling procedure. | | 7 : 
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A return to another segment can change privilege levels, but only toward less privileged 
levels. When a RET instruction encounters a saved CS value whose RPL is numerically 
greater than the CPL (less privileged level), a return across privilege levels occurs. A 
return of this kind performs these steps: 


| 1. The checks shown in Table 6-2 are made, and the CS, EIP, SS, and ESP registers 
are loaded with their former values, which were saved on the stack. 


2. The old contents of the SS and ESP registers (from the top of the current stack) are 
adjusted by the number of bytes indicated in the RET instruction. The resulting ESP 
value is not checked against the a of the stack segment. If the ESP value is 


Table 6-2. Interlevel | Return Checks 


_ Type of Check | Exception Type; 


top-of-stack +. 7 must be within stack seg- ‘stack 

ment limit ; | 

RPL of return code segment mustbe =. ~—+|_ protection Return CS 
greater than the CPL 


Return code segment selector must be | _ protection - Return CS 
non-null 


Return code segment descriptor must be | protection | Return CS 
within descriptor table limit 3 


Return segment descriptor must be a protection Return CS 
code. segment: ee ee age 


Return code segment is present ~~ ~—~— ‘| _*- ‘segment not present Return CS’ 


DPL of return non-conforming code seg- protection . Return CS 
ment must equal RPL of return code seg- =» |°- © : 3 

- . ment selector, or DPL-of return conforming 
code segment must be less than or:equal - 
to RPL of return code segment selector 


ESP + N + 15* must be within the stack stack fault 
segment limit 


segment selector at ESP + N + 12* must protection | Return SS 
be non-null 


segment descriptor at ESP + N + 12* . protection . Return SS 
must be within descriptor table limit | cymes Te vey : 


stack segment descriptor must be read/ a : protection — a Return SS 
write | | | 


stack segment must be pieaent. | not present Return SS 
| stack fault 


7 old stack segment DPL must be equal to ov protection - Return SS 
RPL of old code segment . 9 . 


| old stack segment ‘selector must havean §_ |_protection | Return SS- 
_ RPL equal to the DPL of the old stack | [a | | | 
| segment oe | 


*N is the value of the immediate operand supplied with the RET instruction. 
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beyond the limit, that fact is not recognized until the next stack operation. (The 
contents of the SS and ESP registers for the returning procedure are not preserved; 
normally, their values are the same as those contained in the TSS.) 


3. The contents of the DS, ES, FS, and GS segment registers are checked. If any of 
these registers refer to segments whose DPL is less than the new CPL (excluding 
conforming code segments), the segment register is loaded with the null selector 
(Index = 0, TI = 0). The RET instruction itself does not signal exceptions in these 
cases; however, any subsequent memory reference using a segment register contain- 
ing the null selector will cause a general-protection exception. This prevents less 
privileged code from accessing more privileged segments using selectors left in the 
segment registers by a more privileged procedure. 


6.6 INSTRUCTIONS RESERVED FOR THE OPERATING SYSTEM 


Instructions which can affect the protection mechanism or influence general system per- 
formance can only be executed by trusted procedures. The Intel486 processor has two 
classes of such instructions: 


1. Privileged instructions — those used for system control. 
2. Sensitive instructions —those used for I/O and I/O-related activities. 


6.6.1 Privileged Instructions 


The instructions which affect protected facilities can be executed only when the CPL is 0 
(most privileged). If one of these instructions is executed when the CPL is not 0, a 
general-protection exception is generated. These instructions include: 


CLTS — Clear Task-Switched Flag 
HLT — Halt Processor 3 
INVD —Invalidate Cache 

INVLPG | —Invalidate TLB Entry 
LGDT —Load GDT Register 

LIDT —Load IDT Register 

LLDT —Load LDT Register 
LMSW —Load Machine Status Word 
LTR — Load Task Register 

MOV to/from CRO — Move to Control Register 0 
MOV to/from DRn _—Move to Debug Register n— 
MOV to/from TRn — Move to Test Register n 


WBINVD | — Write Back and Invalidate Cache 


6.6.2 Sensitive Instructions 
Instructions which deal with I/O need to be protected, but they also need to be used by 


procedures executing at privilege levels other than 0 (the most privileged level). The 
mechanisms for protection of I/O operations are covered in detail in Chapter 8. 
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6.7 di eidk spent ROR eer VALIDATION 


Pointer validation is necessary for maintaining isolation between privilege | levels. It con- 
sists of the following Steps: | ; 


| ne Check if the supplier of the pointer is allowed to ACCESS: the segment. 
be Check if the segment type is compatible with its use. 


2 Cheek if the p ponte: offset, exceeds the segment limit. . 


Aidicugh the Intel486 processor aoc performs checks 2 and 3 during instruc- 
tion execution, software must assist in performing the first check. The ARPL instruction 
is provided for this purpose. Software also can use steps 2 and 3 to check for potential 
violations, rather than waiting for an exception to be generated. The LAR, LSL, VERR, 
and vee instructions are pines for this puree ce 


An additional check, the alignment check, can be sealed in user mode. When both the 
AM bit in CRO and the AC flag are set, unaligned memory references generate excep- 
tions. This is useful for programs which use the low two bits of pointers to identify the 
type of data structure they. address. For example, a subroutine in a math library may 
accept pointers to numeric data structures. If the type of this structure is assigned a code 
of 10 (binary) in the lowest two bits of pointers to this type, math subroutines can correct 
for the type code by adding a displacement of —10 (binary). If the subroutine should 
ever receive the wrong pointer type, an unaligned reference would be produced, which 
would generate an exception. Alignment checking accelerates the processing of pro- 
grams written in symbolic- processing (i.e., Artificial Intelligence) languages such as Lisp, 
Prolog, Smalltalk, and C+ +. It can be used to speed up pointer tag type checking. — 


LAR (Load Access Rights) is used to verify that a pointer refers to a segment of a 
compatible privilege level and type. The LAR instruction has one operand—a segment 
selector for a descriptor whose access rights are to be checked. The segment descriptor 
must be readable at a privilege level which is numerically greater (less privileged) than 
the CPL and the selector’s RPL. If the descriptor is readable, the LAR instruction gets 
the second doubleword of the descriptor, masks this value with OOFxFFOOH, stores the 
result into the specified 32-bit destination register, and sets the ZF flag. (The x indicates 
that the corresponding four bits of the stored value are undefined.) Once loaded, the 
access rights can be tested. All valid descriptor types can be tested by the LAR instruc- 
tion. If the RPL or CPL is greater than the DPL, or. if the segment selector would exceed 
the limit for the descriptor table, no access. rights are returned, and the ZF flag is 
cleared. outoHne code. seemcnis may a accessed from any privilege level. | 


LSL (Load Seuincit Limit) abe sonwate to test aie limit of a segment descriptor. If 
the descriptor referenced by the segment selector (in memory or a register) is readable 
at the CPL, the LSL instruction loads the specified 32-bit register with a 32-bit, byte 
granular limit calculated from the concatenated limit fields and the G bit of the descrip- 
tor. This only can. be done for descriptors which describe segments (data, code, task 
state, and local descriptor tables); gate descriptors are inaccessible. (Table 6-3 lists in 
detail which types are valid and which are not.) Interpreting the limit is a function of the 
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Table 6-3. Valid Descriptor Types for LSL Instruction 


—— eee 


reserved 

reserved 

LDT 

reserved 

reserved 

Task Gate 

reserved 

reserved 

reserved 

Available Intel486™ CPU TSS 
reserved 

Busy Intel486 CPU TSS 
Intel486 CPU Call Gate 
reserved 

Intel486 CPU Interrupt Gate 
Intel486 CPU Trap Gate 


0 
1 
2 
3 
4 
5 
6 
7 
8 
9 
A 
B 
C 
D 
E 
F 


segment type. For example, downward-expandable data segments (stack segments) treat 
the limit differently than other kinds of segments. For both the LAR and LSL instruc- 
tions, the ZF flag is set if the load was successful; otherwise, the ZF flag is cleared. 


6.7.1 Descriptor Validation 


The Intel486 processor has two instructions, VERR and VERW, which determine 
whether a segment selector points to a segment which can be read or written using the 
CPL. Neither instruction causes a protection fault if the segment cannot be accessed. 


VERR (Verify for Reading) verifies a segment for reading and sets the ZF flag if that 
segment is readable using the CPL. The VERR instruction checks the following: 


e The segment selector points to a segment descriptor within the bounds of the GDT or 
an LDT. 


e The segment selector indexes to a code or data segment descriptor. 
e The segment is readable and has a compatible privilege level. 
The privilege check for data segments and nonconforming code segments verifies that 


the DPL must be a less privileged level than either the CPL or the selector’s RPL. 
Conforming segments are not checked for privilege level. 


VERW (Verify for Writing) provides the same capability as the VERR instruction for 


verifying writability. Like the VERR instruction, the VERW instruction sets the ZF flag 
if the segment can be written. The instruction verifies the descriptor is within bounds, is _ 
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a segment descriptor, is writable, and has a DPL which is a less privileged level than 
either the CPL or the selector’s RPL. Code segments are never writable, whether con- 
forming or not. 


6.7.2 Pointer Integrity and RPL 


The requestor’s privilege level (RPL) can prevent accidental use of pointers which crash 
more privileged code from a less privileged level. 


A common example is a file system procedure, FREAD (file_id, n_bytes, buffer_ptr). 
This hypothetical procedure reads data from a disk file into a buffer, overwriting what- 
ever is already there. It services requests from programs operating at the application 
level, but it must run in a privileged mode in order to read from the system I/O buffer. If 
the application program passed this procedure a bad buffer pointer, one which pointed 
at critical code or data in a privileged address space, the procedure could cause ees 
which would crash the system. 


Use of the RPL can avoid this problem. The RPL allows a privilege override to be 
assigned to a selector. This privilege override is intended to be the privilege level of the 
code segment which generated the segment selector. In the above example, the RPL 
would be the CPL of the application program which called the system level procedure. 
The Intel486 processor automatically checks any segment selector loaded into a segment 
register to determine whether its RPL allows access. 


To take advantage of the processor’s checking of the RPL, the called procedure need 
only check that all segment selectors passed to it have an RPL for the same or a less 
privileged level as the original caller’s. CPL. This guarantees that the segment selectors 
are not more privileged than their source. If a selector is used to access a segment which 
the source would not be able to access directly, ie. the RPL is less privileged than the 
segment’s DPL, a general-protection exception is generated when the selector is loaded 
into a segment register. 


ARPL (Adjust Requested Privilege Level) adjusts the RPL field of a segment sélector to | 
be the larger (less privileged) of its original value and the value of the RPL field for a 
segment selector stored in a general register. The RPL fields are the two least significant 
bits of the segment selector and the register. The latter normally is a copy of the caller’s 
CS register on the stack. If the adjustment changes the selector’ Ss RPL, the ZF flag iS set; 
otherwise, the ZF flag is cleared. 


6.8 PAGE-LEVEL PROTECTION | 


Protection applies to both segments and pages. When the flat model for memory seg- 
mentation has been. used, page: -level pen een eeranist on pe ~~ 
each other. 
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Each memory reference is checked to verify that it satisfies the protection checks. All 
checks are made before the memory cycle is started; any violation prevents the cycle 
from starting and results in an exception. Because checks are performed in parallel with 
address translation, there is-no performance penalty. There are two page-level protec-- 
tion checks: 


1. Restriction of addressable domain. 
2. Type checking. 
A protection violation results in an exception. See Chapter 9 for an explanation of the 


exception mechanism. This chapter describes the protection violations which lead to 
exceptions. 


6.8.1 Page-Table Entries Hold Protection Parameters 


Figure 6-10 highlights the fields of a page table entry which control access to pages. The 
protection checks are applied for both first- and second-level page tables. 


6.8.1.1 RESTRICTING ADDRESSABLE DOMAIN 


Privilege is interpreted differently for pages and segments. With segments, there are four 
privilege levels, ranging from 0 (most pranes to 3 (least privileged). With pages, 
there are two levels of PEWEES: 


1. Supervisor level (U/S =0) —for the operating system, other system software (such as 
device drivers), and protected system data (such as page tables). 


2. User level (U/S=1)—for application code and data. 


The privilege levels used for segmentation are mapped into the privilege levels used for 
paging. If the CPL is 0, 1, or 2, the processor is running at supervisor level. If the CPL is 
3, the processor is running at user level.When the processor is running at supervisor 
level, all pages are accessible. When the processor is running at user level, ony pages 
from the user level are accessible. 


BEGE 
PAGE FRAME ADDRESS 31..12 
IZ 35 


RIW READ/WRITE 
U/S USER/SUPERVISOR 
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Figure 6-10. Protection Fields of a Page Table Entry 
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6.8.1.2 TYPE CHECKING 


Only two types of pages are recognized by the protection mechanism: 
1. Read-only access (R/W=0).. 
2. Read/write access (R/W=1). 


When the processor is running at supervisor level with the WP bit in the CRO register 
clear (its state following reset initialization), all pages are both readable and writable 
(write-protection is ignored). When the processor is running at user level, only pages 
which belong to user level and are marked for read/write access are writable. User-level _ 
pages which are read/write or read-only are readable. Pages from the supervisor level are 
neither readable nor writable from user level. A general-protection exception is gener- 
ated on any attempt to violate the protection rules. 


Unlike the Intel386 DX processor, the Intel486 processor allows user-mode pages to be 
write-protected against supervisor mode access. Setting the WP bit in the CRO register 
enables supervisor-mode sensitivity to user-mode, write-protected pages. This feature is 
useful for implementing the copy-on-write strategy used by some operating systems, such 
as UNIX, for task creation (also called Jone OF spawning): 


_ When a new task is created, it is possible to copy the entire address space of the parent 
task. This gives the child task a complete, duplicate set of the parent’s segments and 
pages. The copy-on-write strategy saves memory space and time by mapping the child’s 
segments and pages to the same segments and pages used by the parent task. A private 
copy of a page gets created only when one of the tasks writes to the pase 


6.8.2 Combining Protection of Both Levels of Page Tables 


For any one page, the protection attributes of its page directory entry (first-level page 
table) may differ from those of its second-level page table entry. The Intel486 processor 
checks the protection for a page by examining the protection specified in both the page 
directory (first-level page table) and the second-level page table. Table 6-4 shows the 
protection provided by the possible combinations of protection attributes when the WP 
bit is clear. 


6.8.3 Overrides to Page Protection 


Certain accesses are checked as if they are paces: -level 0 accesses, for any value 

of CPL: 

e Access to segment descriptors (LDT, GDT, TSS and IDD). 

e Access to inner stack during a CALL instruction, or exceptions ane interrupts, when 
a change of privilege level occurs. | 


6-24 


Page Directory Entry 
Access Type 


Privilege 


User 
User 
User 
User 
User 
User 
User 
User 
Supervisor 
Supervisor 
Supervisor 
Supervisor 
Supervisor 
Supervisor 
Supervisor 
Supervisor 


Read-Only 
Read-Only 
Read-Write 
Read-Write 
Read-Only 
Read-Only 
Read-Write 
Read-Write 
Read-Only 
Read-Only 
Read-Write 
Read-Write 
Read-Only 
Read-Only 
Read-Write 
Read-Write 


PROTECTION 


Page Table Entry 


Privilege 


User. 
User 
User 
User 
Supervisor 
Supervisor 
Supervisor 
Supervisor 
User 
User 
User 
User 
Supervisor 
Supervisor 
Supervisor 
Supervisor 


Access Type 


Read-Only 
Read-Write 
Read-Only 
Read-Write 
Read-Only 
Read-Write 
Read-Only 
Read-Write 
Read-Only 
Read-Write 
Read-Only 
Read-Write 
Read-Only 
Read-Write 
Read-Only 
Read-Write 


Table 6-4. Combined Page Directory and Page Table Protection 


Combined Effect 


User 

User 

User 

User 

Supervisor 
Supervisor 
Supervisor 
Supervisor 
Supervisor 
Supervisor 
Supervisor 
Supervisor 
Supervisor 
Supervisor 
Supervisor 
Supervisor 


Access Type 


Read-Only 

Read-Only 

Read-Only 

Read/Write 
Read/Write 
Read/Write 
Read/Write. 
Read/Write 
Read/Write 
Read/Write 
Read/Write 
Read/Write 
Read/Write 
Read/Write 
Read/Write 
Read/Write 


6.9 COMBINING PAGE AND SEGMENT PROTECTION 


When paging is enabled, the Intel486 processor first evaluates segment protection, then 
evaluates page protection. If the processor detects a protection violation at either the 
segment level or the page level, the operation does not go through; an exception occurs 
instead. If an exception is generated by segmentation, no paging exception is generated 
for the operation. 


For example, it is possible to define a large data segment which has some parts which are 
read-only and other parts which are read-write. In this case, the page directory (or page 
table) entries for the read-only parts would have the U/S and R/W bits specifying no 
write access for all the pages described by that directory entry (or for individual pages 
specified in the second-level page tables). This technique might be used, for example, to 
define a large data segment, part of which is read-only (for shared data or ROMmed 
constants). This defines a “flat”? data space as one large segment, with “flat’’ pointers 
used to access this “flat” space, while protecting shared data, shared files mapped into 
the virtual space, and supervisor areas. 
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CHAPTER 7 
MULTITASKING 


The Intel486 processor provides hardware support for multitasking. A task is a program 
which is running, or waiting to run while another program is running. A task is invoked 
by an interrupt, exception, jump, or call. When one of these forms of transferring exe- 
cution is used with a destination specified by an entry in one of the descriptor tables, this 
descriptor can be a type which causes a new task to begin execution after saving the state 
of the current task. There are two types of task-related descriptors which can occur in a 
descriptor table: task state segment descriptors and task gates. When execution is passed 
to either kind of descriptor, a task switch occurs. 


A task switch is like a procedure call, but it saves more processor state information. A 
procedure call only saves the contents of the general registers, and it might save the 
contents of only one register (the EIP register). A procedure call pushes the contents of 
the saved registers on the stack, in order that a procedure may call itself. When a 
procedure calls itself, it is said to be re-entrant. 


A task switch transfers execution to a completely new environment, the environment of a 
task. This requires saving the contents of nearly all the processor registers, such as the 
EFLAGS register. Unlike procedures, tasks are not re-entrant. A task switch does not | 
push anything on the stack. The processor state information i is saved in a data structure 
in memory, called a task state segment. 


The registers and data structures which support multitasking are: 
e Task state segment. 

e Task state segment descriptor. 

e Task register. 


e Task gate descriptor. 


With these structures, the Intel486 processor can switch execution from one task to 
another, with the context of the original task saved to allow the task to be restarted. In 
addition to the simple task switch, the Intel486 processor offers two other task- 
management features: 


1. Interrupts and exceptions can cause task switches (if needed in the system design). 
The processor not only performs a task switch to handle the interrupt or exception, 
but it automatically switches back when the interrupt or exception returns. Inter- 
rupts may occur during interrupt tasks. 


2. With each switch to another task, the Intel486 processor also can switch to another 
LDT. This can be used to give each task a different logical-to-physical address map- 
ping. This is an additional protection feature, because tasks can be isolated and 
prevented from interfering with one another. The PDBR register also is reloaded. 
This allows the paging mechanism to be used to enforce the isolation between tasks. 
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Use of the multitasking mechanism is optional. In some applications, it may not be the 
best way to manage program execution. Where extremely fast response to interrupts is 
needed, the time required to save the processor state may be too great. A possible 
compromise in these situations is to use the task-related data structures, but perform 
task switching in software. This allows a smaller processor state to be saved. This tech- 
nique can be one of the optimizations used to enhance system DEHORMante after the 
basic functions of a system have been apm: 7 : 


7.1 TASK STATE SEGMENT 


The processor state information needed to restore a task is saved in a type of segment, 
called a task state segment or TSS. Figure 7-1 shows the format of a TSS for an Intel486 

CPU task (compatibility with 80286 tasks is provided by a different. kind of TSS; see 

Chapter 21). The fields of a TSS are divided into two main eee: & 2% 


1. Dynamic fields the processor updates with Sach task itch These fields store: 
-e The general registers (EAX, ECX, EDX, EBX, ESP, EBP, ESI, and or a 
e The segment registers (ES, CS, SS, DS, FS, and see | 
@ The flags register (EFLAGS). 
e The instruction pointer (EJP). 


e The selector for the TSS of the es task (updated only wae a return is 
expected). | | cy 


2. Static fields the processor reads, but does not change. These fields are set up when 
a task is created. These fields store: pa oe ee , 


e The selector for the task’s LDT. 
e The logical address of the stacks for privilege levels 0, 1, and a 


e The T-bit (debug trap bit) which, when set, causes the processor to raise a debus 
exception when a task switch occurs. (See Cuapick, 7 for more apounaten on 
debugging.) 


_e The base address for. the I/O permission bit map. If present, this map is s stored i in 
the TSS at higher addresses. The base address points to the beginning of the 
map. (See Chapter 8 for more piormaGon about the YO Permssion bit map. ) 


If paging is cee it is important to avoid placing a page ainda within the oar of the 
TSS which is read by the processor during a task switch (the first 108 bytes). If-a page 
boundary is placed within this part of the TSS, the pages on either side of the boundary 
must be present at the same time. In addition, if paging is used, the pages corresponding 
to the old task’s TSS, the new task’s TSS, and the descriptor table entries for each 
should be marked as present and read/write. It is an unrecoverable error to receive a 
page fault or edie Brotecnon. exception after the ap Oeer has Started to read the 
TSS. | 7 | 
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31 
[soaoveoveaoe0000 | 


| EFLAGS | | | - 
RESERVED 
0000000000000000 
0000000000000000 


0000000000000000 . 


0000000000000000 LINK (OLD TSS SELECTOR) 


ADDRESSES ARE SHOWN IN HEXADECIMAL. | 
NOTE: BITS MARKED AS 0 ARE RESERVED. DO NOT USE. 


Figure 7-1. Task State Segment 
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7.2 TSS DESCRIPTOR | 


The task state segment, like all other segments, is defined by a descriptor. Figure 7-2 
shows the format of a TSS descriptor. 7 


The Busy bit in the Type field indicates whether the task is busy. A busy task is currently 
running or waiting to run. A Type field with a value of 9 indicates an inactive task; a 
value of 11 (decimal) indicates a busy task. Tasks are not recursive. The Intel486 pro- 
cessor uses the Busy bit to detect an attempt to call a task whose execution has been 
interrupted. . : 


The Base, Limit, and DPL fields and the Granularity bit and Present bit have functions 
similar to their use in data-segment descriptors. The Limit field must have a value equal 
to or greater than 67H, one byte less than the minimum size of a task state. An attempt 
to switch to a task whose TSS descriptor has a limit less than 67H generates an excep- 
tion. A larger limit is required if an I/O permission map is used. A larger limit also may 
be required for the operating system, if the system stores additional data in the TSS. 


A procedure with access to a TSS descriptor can cause a task switch. In most systems, 
the DPL fields of TSS descriptors should be clear, so only privileged software can per- 
form task switching. | OS, 


Access to a TSS descriptor does not give a procedure the ability to read or modify the 
descriptor. Reading and modification only can be done using a data descriptor mapped 


TSS DESCRIPTOR 


3 : 2 | 3 1111711377 
1 4 6543210987 


0 


BASE 31:24 Pa a ee BASE 23:16 
oo | | L lol1/olBl1 | 
| BASE ADDRESS 15:00 SEGMENT LIMIT 15:00 | 


AVAILABLE FOR USE BY SYSTEM SOFTWARE 
BUSY BIT 

SEGMENT BASE ADDRESS © 
DESCRIPTOR PRIVILEGE LEVEL 
GRANULARITY 

SEGMENT LIMIT 

SEGMENT PRESENT 

SEGMENT TYPE 
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- Figure 7-2. TSS Descriptor 
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to the same location in memory. Loading a TSS descriptor into a segment register gen- 
erates an exception. TSS descriptors only may reside in the GDT. An attempt to access 
a TSS using a selector with a set TI bit (which indicates the current LDT) generates an 
exception. 


7.3 TASK REGISTER 


The task register (TR) is used to find the current TSS. Figure 7-3 shows the path by 
which the processor accesses the TSS. 


The task register has both a “visible” part (i.e., a part which can be read and changed by 
software) and an “invisible” part (i.e., a part maintained by the processor and inaccessi- 
ble to software). The selector in the visible portion indexes to a TSS descriptor in the 
GDT. The processor uses the invisible portion of the TR register to retain the base and 
limit values from the TSS descriptor. Keeping these values in a register makes execution 
of the task more efficient, because the processor does not need to fetch ee values 
from memory to reference the TSS of the current task. 


The LTR and STR instructions are used to ‘modify and read the visible portion of the 
task register. Both instructions take one operand, a 16-bit segment selector located in 
memory or a general register. 


LTR (Load task register) loads the visible portion of the task register with the operand, 
which must index to a TSS descriptor in the GDT. The LTR instruction also loads the 
invisible portion with information from the TSS descriptor. The LTR instruction is a 
privileged instruction; it may be executed only when the CPL is 0. The LTR instruction 
generally is used during system initialization to put an initial value in the task register; 
. afterwards, the contents of the TR register are changed by events which cause a task 
switch. 


STR (Store task register) stores the visible portion of the task register in a general 
register or memory. The STR instruction is privileged. 7 


7.4 TASK GATE DESCRIPTOR | 


A task gate descriptor provides an indirect, protected reference to a task. Figure 7-4 
illustrates the format of a task gate. 


The Selector field of a task gate indexes to: a TSS descriptor. The RPL in this selector is 
not used. 7 


The DPL of a task gate controls access to the descriptor for a task switch. A procedure 
may not select a task gate descriptor unless the selector’s RPL and the CPL of the 
procedure are numerically less than or equal to the DPL of the descriptor. This prevents 
less privileged procedures from causing a task switch. (Note that when a task gate is 
used, the DPL of the destination TSS descriptor is not used.) 
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Figure 7-4. Task Gate Descriptor 


A procedure with access to a task gate can cause a task switch, as can a procedure with 
access to a TSS descriptor. Both task gates and TSS descriptors are provided to satisty 
three needs: 


1. The need for a task to have only one Busy bit. Because the Busy bit is stored in the 
TSS descriptor, each task should have only one such descriptor. There. may, how- 
ever, be several task gates which select a single TSS descriptor. 


2. The need to provide selective access to tasks. Task gates fill this need, because they 
can reside in an LDT and can have a DPL which is different from the TSS descrip- 
tor’s DPL. A procedure which does not have sufficient privilege to use the TSS 
descriptor in the GDT (which usually has a DPL of 0) can still call another task if it 
has access to a task gate in its LDT. With task gates, the operating oe can limit 
task switching to specific tasks. 


3. The need for an interrupt or exception to cause a task switch. Task gates also may 
reside in the IDT, which allows interrupts and exceptions to cause task switching. 
When an interrupt or exception supplies a vector to a task gate, the Intel486 proces- 
sor switches to the indicated task. 


Figure 7-5 illustrates how both a task gate in an LDT and a task gate in the IDT can 
identify the same task. 
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Figure 7-5. Task Gates Reference Tasks 


1. 5 TASK SWITCHING 


The Intel486 processor transfers execution to ) another task 1 in any of four cases: 
1. The current task executes a JMP or CALL toa TSS descriptor. 
2. The current task executes a JMP or CALL to a task gate. 
3. An interrupt or exception indexes to a task gate in the IDT. 


4, The current task executes an IRET when the NT Meee is set. 


The - IMP, CALL. and IRET instructions, as well ; as euemine and aceepuons are all 
ordinary mechanisms of the Intel486 processor which can be used in circumstances in 
which no task switch occurs. The descriptor type (when a task is called) or the NT flag 
(when the task returns) make the difference between the standard mechanism and the 
form which causes a task switch. es 
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To cause a task switch, a JMP or CALL instruction can transfer execution to either a 
TSS descriptor or a task gate. The effect is the same in either case: the Intel486 proces- 
sor transfers execution to the specified task. 7 


An exception or interrupt causes a task switch when it indexes to a task gate in the IDT. 
If it indexes to an interrupt or trap gate in the IDT, a task switch does 1 not occur. See 
Chapter 9 for more information on the interrupt mechanism. , 


An interrupt service routine always returns Baton to the interrupted procedure, 
which may be in another task. If the NT flag is clear, a normal return occurs. If the NT 
flag is set, a task switch occurs. The task receiving the task switch is specified by the TSS 
selector in the TSS of the interrupt service routine. | 


A task switch has these steps: 


1. Check that the current task i is allowed to switch to the new task. Data-access privi- 
lege rules apply to JMP and CALL instructions. The DPL of the TSS descriptor and 
the task gate must be numerically greater (e.g., lower privilege level) than or equal 
to both the CPL and the RPL of the gate selector. Exceptions, interrupts, and IRET 
instructions are permitted to switch tasks regardless of the DPL of the destination 
task gate or TSS descriptor. , 


2. Errors restore any changes made in the processor state when an attempt is made to 
execute the error-generating instruction. This lets the return address for the excep- 
tion handler point to the error-generating instruction, rather than the instruction 
following the error-generating instruction. The exception handler can fix the condi- 
tion which caused the error, and restart the task. The intervention of the exception 
handler can be completely transparent to the application program. 


3. Save the state of the current task. The processor finds the base address of the 
current TSS in the task register. The processor registers are copied into the current 
TSS (the EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI, ES, CS, SS, DS, FS, GS, 
and EFLAGS registers). 


4. Load the TR register with the selector to the new task’s TSS descriptor, set the new 
_ task’s Busy bit, and set the TS bit in the CRO register. The selector is either the - 
operand of a JMP or CALL instruction, or it is taken from a task gate. 


5. Load the new task’s state from its TSS and continue execution. The registers loaded 
are the LDTR register; the EFLAGS register; the general registers EIP, EAX, 
ECX, EDX, EBX, ESP, EBP, ESI, EDI; and the segment registers ES, CS, SS, DS, 
FS, and GS. Any errors detected in this step occur in the context of the new task. To 
an exception handler, the first instruction of the new task appears not to have 
executed. 


Note that the state of the old task is always saved when a task switch occurs. If the task 
is resumed, execution starts with the instruction which normally would have been next. 
The registers are restored to the values they held when the task stopped running. 
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Every task switch sets the TS (task switched) bit in the CRO register. The TS bit is useful 
to system software for coordinating the operations of the integer unit with the floating- 
point unit or a coprocessor. The TS bit indicates that the context of the floating-point 
unit or coprocessor may be different from that of the current task. Chapter 10 discusses 
the TS bit and coprocessors in more detail. — 


Exception service routines for exceptions caused by task switching (exceptions resulting 
from steps 5 through 17 shown in Table 7-1) may be subject to recursive calls if they 
attempt to reload the segment selector which generated the exception. The cause of the 
exception (or the first of tuple EauaCS) should Be fixed pele oo the selector. 


The privilege ieee at which the old task was running fae no reine to the sivitese level 
of the new task. Because the tasks are isolated by their separate address spaces and task 
state segments, and because privilege rules control access to a TSS, no privilege checks 
are needed to perform a task switch. The new task begins executing at the privilege level 
indicated Py the RPL of new contents of the CS register, which are loaded from the TSS. 


7.6 TASK LINKING 


The Link field of the TSS and ihe NT T flag are ese to return execution to thie previous 
task. The NT flag indicates whether the currently executing task is nested within the 
execution of another task, and the Link field of the current task’s TSS holds the TSS 
selector for the higher-level task, if there i is one (see Ss 7- oe a et ew 


When an interrupt, exception, jump, or call causes a task sate, the Intel486 processor 
copies the segment selector for the current task state segment into the TSS for the new 
task and sets the NT flag. The NT flag indicates the Link field of the TSS has been 
loaded with a saved TSS selector. The new task releases control by executing an IRET 
instruction. When an IRET instruction is executed, the NT flag is checked. If it is set, 

the processor does a task switch to the previous task. Table 7- -2 summarizes the uses of 
the fields in a TSS which are affected by task switching... 


Note that the NT flag may be modified by software executing at any privilege level. It is 
possible for a program to set its NT bit.and execute an IRET instruction, which. would 
have the effect of invoking the task specified in the Link field of the current task’s TSS. 
To keep spurious task switches from succeeding, the operating system should initialize 
the Link field of every TSS it creates. 


7.6.1 Busy Bit Prevents Loops 


The Busy bit of the TSS descriptor prevents re-entrant task switching. There is only one 
saved task context, the context saved in the TSS, therefore a task only may be called 
once before it terminates. The chain of suspended tasks may grow to any length, due to 
multiple interrupts, exceptions, jumps, and calls. The Busy bit prevents a task from being 
called if it is in this chain. A re-entrant task switch would overwrite: tne ac TSS: for: the 
task, which would break the chain. - ee : “ 
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Table 7-1. Checks Made during a Task Switch 


TSS descriptor is present in 
memory 


TSS descriptor is not busy 


TSS segment limit greater 
than or equal to 108 


LDT selector of new task is 
valid? 

Code segment DPL matches 
selector RPL 

SS selector is valid* 

Stack segment is present in 
“memory 

Stack segment DPL matches 
CPL 

LDT of new task is present in 
memory 

CS selector is valid? 


Code segment is present in 
_ memory 


Stack segment DPL matches 
selector RPL 


DS, ES, FS, and GS selec- 
tors are valid? 

DS, ES, FS, and GS seg- 
ments are readable 

DS, ES, FS, and GS seg- 
ments are present in memory 
DS, ES, FS, and GS segment 
DPL greater than or equal to 


CPL (unless these are con- 
forming segments) 


New Task’s TSS 


Task’s backlink TSS 


New Task’s TSS 
New Task’s TSS 
New Code Segment 


New Stack Segment 
New Stack Segment 


Stack not present 
New Task’s TSS 


New Code Segment 


New Code Segment 


New Stack Segment 


New Data Segment 


New Data Segment 


New Data Segment 


New Data Segment 


NOTES: Future Intel processors may use a different order of checks. 

1. NP = Segment-not-present exception, GP = General-protection exception, TS = Invalid-TSS exception, 
SF = Stack exception. | 

2. A selector is valid if it is in a compatible type of table (e.g., an LDT selector may not be in any table 
except the GDT), occupies an address within the table’s segment limit, and refers to a compatible type of 
descriptor (e.g., a. selector in the CS register only is valid when it indexes to a descriptor for a code 

, segment; the descriptor type is specified in its Type field). | 
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Figure 7-6. Nested Tasks. 


Table 7-2. Effect of a Task Switch on Busy, NT, and Link Fields 


3 Effect of CALL 
Effect of Jump Instruction or 
: Interrupt 


Effect of IRET 
Instruction 


Busy bit of new task. Bit is set. Must have Bit is set. Must have No change. Must be 
ee been clear before. been clear before. set. 


| Busy bit of old task Bit is cleared. No change. Bit is cur- Bit is cleared. 
| rently set. | i £3 


NT flag of new task No change. . _ | Flag is set. | No change. _ 
NT flag of old task No change. | Nochange. — Flag is cleared. 


Link field of new.task. | No change. . .| Loaded with selector No change. | 
| for old task’s TSS. 7 


Link field of old task. No change. e | No change. — | No change. 
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The processor manages the Busy bit as follows: 
1. When switching to a task, the processor sets the Busy bit of the new task. | 


2. When switching from a task, the processor clears the Busy bit of the old task if that 
task is not to be placed in the chain (i.e., the instruction causing the task switch is a 
JMP or IRET instruction). If the task is placed in the chain, its Busy bit remains set. 


3. When switching to a task, the processor generates a ecnera’: poe i if 
the Busy bit of the new task already is set. 7 


In this way, the processor prevents a task from switching to itself or to any task in the 
chain, which prevents re-entrant task switching. 


The Busy bit may be used in multiprocessor configurations, because the processor 
asserts a bus lock when it sets or clears the Busy bit. This keeps two processors from 
invoking the same task at the same time. (See Chapter 13 for more information on 
multiprocessing.) 


7.6.2 Modifying Task Linkages 


Modification of the chain of suspended tasks may be needed to resume an interrupted 
task before the task which interrupted it. A reliable way to do this is: 


1. Disable interrupts. 


2. First change the Link field in the TSS of the interrupting task, then clear the Busy 
bit in the TSS descriptor of the task being removed from the chain. 


3. Re-enable interrupts. 


7.7 TASK ADDRESS SPACE 


The LDT selector and PDBR (CR3) field of the TSS can be used to give each task its 
own LDT and page tables. Because segment descriptors in the LDTs are the connections 
between tasks and segments, separate LDTs for each task can be used to set up individ- 
ual control over these connections. Access to any particular segment can be given to any 
particular task by placing a segment descriptor for that segment in the LDT for that task. 
If paging is enabled; each task can have its own set of page tables for mapping linear 
addresses to physical addresses. 


It also is possible for tasks to have the same LDT. This is a simple and memory-efficient 
way to allow some tasks to communicate with or control each other, without dropping 
the protection barriers for the entire system. | 


Because all tasks have ‘access to the GDT, it also is possible to create shared segments 
accessed through segment descriptors in this table. 
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7.7.1 Task Linear-to-Physical Space Mapping 


The choices for arranging the ee to- “physical mappings of tasks fall into two general 
classes: , | 


1. One linear-to-physical mapping shared among all tasks. When paging is not enabled, 

this is the only choice. Without paging, all linear addresses map to the same physical 
addresses. When paging is enabled, this form of linear-to-physical mapping is 
obtained by using one page directory for all tasks. The linear space may exceed the 
available physical space if demand-paged virtual memory is supported. 


Zi Independent linear-to-physical mappings for each task. This form of mapping comes 
from using a different page directory for each task. Because the PDBR (page direc- 
tory base register) is loaded from the TSS me each task switch, each task oe have 
a different ae directory. 


The linear address spaces of different tasks may map to completely distinct physical 
addresses. If the entries of different page directories point to different page tables and 
the page tables point to different pages of physical memory, then the tasks do not share 
any physical addresses. 


The task state segments must lie in a space accessible to all tasks so that the mapping of 
TSS addresses does not change while the processor is reading and updating the TSSs 
during a task switch. The linear space mapped by the GDT also should be mapped to a 
shared physical space; otherwise, the purpose of the GDT is defeated. Figure 7-7 shows 
how the linear spaces of two tasks can overlap in the physical space by sharing page 
tables. 


7.7.2 Task Logical Address Space 


By itself, an overlapping linear-to-physical space mapping does not allow sharing of data 
among tasks. To share data, tasks must also have a common logical-to-linear space map- 
ping; i.e., they also must have access to descriptors which point into a shared linear 
address space. There are three ways | to create shared HOgIcals to- puysicet address-space 
mappings: 


1. Through the segment descriptors in the GDT. All tasks have access to the destin: 
tors in the GDT. If those descriptors point into a linear-address space which is 
mapped to a common physical-address space for all tasks, then the tasks can share 
data and instructions. 


2. Through shared LDTs. Two or more tasks can use the same LDT if the LDT selec- 
tors in their TSSs select the same LDT for use in address translation. Segment 
descriptors in the LDT addressing linear space mapped to overlapping physical 
space provide shared physical memory. This method of sharing is more selective 
than sharing by the GDT; the sharing can be limited to specific tasks. Other tasks in 
the system may have different LDTs which do not give them access to the shared 
areas. 7 : 
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3. Through segment descriptors in the LDTs which map to the same linear address. 
space. If the linear address space is mapped to the same physical space by the page 
mapping of the tasks involved, these descriptors permit the tasks to share space. 
Such descriptors are commonly called “aliases.” This method of sharing is even 
more selective than those listed above; other descriptors in the LDTs may point to 
independent linear addresses which are not shared. 
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Figure 7-7. Overlapping Linear-to-Physical Mappings 
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CHAPTER 8 
INPUT/OUTPUT 


This chapter explains the input/output architecture of the Intel486 processor. Input/ 
output is accomplished through I/O ports, which are registers connected to peripheral 
devices. An I/O port can be an input port, an output port, or a bidirectional port. Some 
I/O ports are used for carrying data, such as the transmit and receive registers of a serial 
interface. Other I/O ports are used to control peripheral devices, such as the control 
registers of a disk controller. 


The Intel486 processor always synchronizes I/O instruction execution with external bus 
activity. All previous instructions are completed before an I/O operation begins. In par- 
ticular, all writes held pending in the Intel486 CPU write buffers will be completed 
before an I/O read or write is performed. 


The input/output architecture is the programmer’s model of how these ports are 
accessed. The discussion of this model includes: 


e Methods of addressing I/O ports. 
e Instructions which perform I/O operations. 
eo The I/O protection mechanism. 


8.1 I/O ADDRESSING 


The Intel486 processor allows I/O ports to be addressed in either of two ways: 
e Through a separate I/O address space accessed using I/O instructions. 


e Through memory-mapped I/O, where I/O ports appear in the address space of phys- 
ical memory. 


The use of a separate I/O address space is supported by special instructions and a 
hardware protection mechanism. When memory-mapped I/O is used, the general- 
purpose instruction set can be used to access I/O ports, and protection is provided using 
segmentation or paging. Some system designers may prefer to use the I/O facilities built 
into the processor, while others may prefer the simplicity of a single Bieicen address 
space. 


If segmentation or paging is used for protection of the I/O address space, the AVL fields 
in segment descriptors or page table entries may be used to mark pages containing I/O 
as unrelocatable and unswappable. The AVL fields are provided for this kind of use, 
where a system programmer needs to make an extension to the address translation and 
protection mechanisms. | ? 


Hardware designers use these ways of mapping I/O ports into the address space when 
_ they design the address decoding circuits of a system. I/O ports can be mapped so that 
they appear in the I/O address space or the address space of physical memory (or both). 
System programmers may need to discuss with hardware designers the kind of I/O 
addressing they would like to have. : 
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8.1.1 1/O Address Space 


The Intel486 processor provides a separate I/O address space, distinct from the address — 
space for physical memory, where I/O ports can be placed. The I/O address space con- 
sists of 2'° (64K) individually addressable 8-bit ports; any two consecutive 8-bit ports can 
be treated as a 16-bit port, and any four consecutive ports can be a 32-bit port. Extra bus 
cycles are required if a port crosses the boundary between two doublewords i in physical 
memory. | 


The M/IO# pin on the Intel486 processor indicates when a bus cycle to the I/O address 
space occurs. When a separate I/O address space is used, it is the responsibility of the 
hardware designer to make use of this signal to select I/O ports rather than memory. In 
fact, the use of the separate I/O address space simplifies the hardware design becausé 
these ports can be selected by a single signal; unlike other processors, it is not necessary 
to decode a number of upper address lines in order to set up a separate I/O address 
space. 7 


A program can specify the address of a port in two ways. With an immediate byte 
constant, the program can specify: 


© 256 8-bit ports numbered 0 through 255. — 
e 128 16-bit ports numbered 0, 2, 4,..., 252, 254. 
e 64 32-bit ports numbered 0, 4, 8,... , 248, 252. 


Using a value in the DX register, the program can nepeCs 
e 8-bit ports numbered 0 through 65535. 

e 16-bit ports numbered a 65532, 65534. 

o 32-bit ports numbered 0, 4, 8, ... , 65528, 65532. 


The Intel486 processor can transfer 8, 16, or 32 bits to.a device in the I/O space. Like 
words in memory, 16- bit ports should be aligned to even addresses so that all 16 bits can 
be transferred in a single bus cycle. Like doublewords in memory, 32-bit ports should be 
aligned to addresses which are multiples of four. The processor supports data transfers 
to unaligned ports, but there is a poo penalty because an extra bus cycle must 
be used. 4 


The IN and OUT instructions move data between a register and a port in the J/O 
address space. The instructions INS and OUTS move strings of data between the mem- 
ory address 5 Space and ports in the I/O address Space: : 


1/0 port addresses 0F8H ae OFFH:; are reserved for use by Intel®. Dei not assign 10 
pore to ue HORIESSES 


The exact order of Bae cycles ‘ded to access parts sich: require more fi one bas cycle 7 
is undefined. For example, an OUT instruction which loads an unaligned doubleword 
port at location 2H accesses the word at 4H before accessing the word at 2H. This 
behavior is neither defined, nor guaranteed to remain the same in future Intel products. 
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If software needs to produce a particular order of bus cycles, this order must be specified 
explicitly. For example, to load a word-length port at 4H followed by loading a word port 
at 2H, two word-length instructions must be used, rather than a single doubleword 
instruction. 


Note that although the Intel486 processor automatically masks parity errors for certain 
types of bus cycles, such as interrupt acknowledge cycles, it does not mask parity for bus 
cycles to the I/O address space. Programmers may need to be aware of this behavior as a 
possible source of spurious parity errors. 


8.1.2 Memory-Mapped I/O 


I/O devices may be placed in the address space for physical memory. This is called 
memory-mapped I/O. As long as the devices respond like memory components, they can 
be used with memory-mapped I/O. 


Memory-mapped I/O provides additional programming flexibility. Any instruction which 
references memory may be used to access an I/O port located in the memory space. For 
example, the MOV instruction can transfer data between any register and a port. The 
AND, OR, and TEST instructions may be used to manipulate bits in the control and 
status registers of peripheral devices (see Figure 8-1). Memory-mapped I/O can use the 
full instruction set and the full complement of addressing modes to address I/O ports. 


PHYSICAL MEMORY 


INPUTIOUTPUT PORT | 
| INPUTIOUTPUT PORT 


INPUT/IOUTPUT PORT 


Figure 8-1. Memory-Mapped I/O 
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To optimize performance, the Intel486 CPU allows reads to be re-ordered ahead of 
buffered writes in certain precisely-defined circumstances. (See the Intel486™ Processor 
Hardware Reference Manual for further details about the operation of the write buffer.) 
Using memory-mapped I/O on the Intel486 CPU therefore creates the possibility that an - 
I/O read will be performed before the memory write of a previous instruction. To elim- 
inate this possibility, use an Ho, instruction for the read. . 


Using an I/O instruction for an VO arte ii also‘be acanterenes because it guarantees 
that the write will be completed before the next instruction begins execution. If I/O 
writes are used to control system hardware, then this sequence of events is desirable, 
since it guarantees that the next instruction will be executed in the new state. 


If caching i is enabled, either Saertal hardware or the paging mechanism (the PCD bit in 
the page table entry) must be used to prevent caching of l/O data. r 


Memory-mapped I/O, like any other memory reference, a oe to access protection 
and control. See Chapter 6 fora discussion of memory protection. 


8.2 1/0 INSTRUCTIONS — 


The I/O instructions of the Intel486 processor provide access to the processor’ s I/O ports 
for the transfer of data. These instructions have the address of:a port in the I/O address 
space as an operand. There are two kinds of YO instructions: 


1. Those which transfer a single item (byte, word: or doubleword) to or from a register. 


2. Those which transfer strings of items (strings of bytes, words, or doublewords) 
located in memory. These are known as “string J/O instructions” or “block I/O 
instructions.” 


These instructions cause the M/IO# signal to be driven low (logic 0) during a bus cycle, 
which indicates to external hardware that access to the I/O address space is taking place. 
If memory-mapped I/O is used, there is no reason to use I/O instructions. 


8.2.1 Register I/O Instructions 


The I/O instructions IN and OUT move data between I/O ports and the EAX register 
(32-bit I/O), the AX register (16-bit I/O), or the AL (8-bit I/O) register. The IN and 
OUT instructions address I/O ports either directly, with the address of one of 256 port 
addresses coded in the instruction, or indirectly using an address in the DX register to 
select one of 64K port addresses. These instructions synchronize program execution to 
external hardware. The Intel486 processor write buffers are cleared and program execu- 
tion delayed until the last ready of the last bus cycle has been returned. 
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IN (Input from Port) transfers a byte, word, or doubleword from an input port to the 
AL, AX, or EAX registers. A byte IN instruction transfers 8 bits from the selected port 
to the AL register. A word IN instruction transfers 16 bits from the port to the AX 
register. A doubleword IN instruction transfers 32 bits from the port to the EAX 
register. 


OUT (Output from Port) transfers a byte, word, or doubleword from the AL, AX, or 
EAX registers to an output port. A byte OUT instruction transfers 8 bits from the AL 
register to the selected port. A word OUT instruction transfers 16 bits from the AX 
register to the port. A doubleword OUT instruction transfers 32 bits from the EAX 
register to the port. 


8.2.2 Block I/O Instructions 


The INS and OUTS instructions move blocks of data between I/O ports and memory. 
Block I/O instructions use an address in the DX register to address a port in the I/O 
address space. These instructions use the DX register to specify: 


e §8-bit ports numbered 0 through 65535. 
0 16-bit ports numbered 0, 2, 4,..., 65532, 65534. 
o 32-bit ports numbered 0, 4, 8, ... , 65528, 65532. 


Block I/O instructions use either the SI or DI register to address memory. For each 
transfer, the SI or DI register is incremented or decremented, as specified by the DF 
flag. 


The INS and OUTS instructions, when used with repeat prefixes, perform block input or 
output operations. The repeat prefix REP modifies the INS and OUTS instructions to 
transfer blocks of data between an I/O port and memory. These block I/O instructions 
are string instructions (see Chapter 3 for more on string instructions). They simplify 
programming and increase the speed of data transfer by eliminating the need to use a 
separate LOOP instruction or an intermediate register to hold the data. 


The string I/O instructions operate on byte strings, word strings, or doubleword strings. 
After each transfer, the memory address in the ESI or EDI registers is incremented or 
decremented by 1 for byte operands, by 2 for word operands, or by 4 for doubleword 
operands. The DF flag controls whether the register is incremented (the DF flag is 
clear) or decremented (the DF flag is set). 


INS (input String from Port) transfers a byte, word, or doubleword string element from 
an input port to memory. The INSB instruction transfers a byte from the selected port to 
the memory location addressed by the ES and EDI registers. The INSW instruction 
transfers a word. The INSD instruction transfers a doubleword. A segment override 
prefix cannot be used to specify an alternate destination segment. Combined with a REP 
prefix, an INS instruction makes repeated read cycles to the port, and a the data into 
consecutive locations in memory. 
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OUTS (Output String from Port) transfers a byte, word, or doubleword string element 
from memory to an output port. The OUTSB instruction transfers a byte from the mem- 
ory location addressed by the DS and ESI registers to the selected port.. The OUTSW 
instruction transfers a word. The OUTSD instruction transfers a doubleword. A segment 
override prefix cannot be used to specify an alternate source segment. Combined with a 
REP prefix, an OUTS instruction reads consecutive locations in memory, and writes the 
data to an output port. 7 


8.3 PROTECTION AND 1/O 
_ The I/O architecture has two protection mechanisms: 


1. The IOPL field in the EFLAGS register controls access to the T/O instructions. _ 


2. The I/O permission bit map of a TSS segment controls access to individual ports j in 
the I/O address space. ? 


These sprotestioll meshanisnis are available only when a separate I/O address space. is 
used. When memory-mapped I/O is used, prgteron is prouces using segmentation or 


paging. 


| 8.3.1 1/O Privilege Level 


In systems where I/O protection is used, access to I/O instructions is controlled by the 
JOPL field in the EFLAGS register. This permits the operating system to ‘adjust the 
privilege level needed to perform I/O. In a typical protection ring model, privilege levels — 
0.and 1 have access to the J/O instructions. This lets the operating system and the device 
drivers perform. I/O, but keeps applications and less privileged device drivers from 
ALES EHS: the I/O, address space. Applications access I/O tapous the operating ystems 


The following i instructions can be ects only if CPL s IOPL: 


IN Taput 7 

INS — Input String 

OUT. —Output 

OUTS —Output String 

CLI —Clear Interrupt-Enable Flag 
STI § —Set Interrupt-Enable Flag 


These instructions are called “sensitive” instructions, because they are sensitive to the 
JIOPL field. In virtual-8086 mode, IOPL is not used; only the uo Pop eeSes bit map 
limits access to J/O ports (see Chapter ee 3 


To use ‘sensitive instructions, a procedure must run ata sriviieee level at least as privi- 
leged as that specified by the IOPL field. Any attempt by a less privileged procedure to 
use a sensitive instruction results in a general-protection exception. Because each task 
has its own copy of the EFLAGS register, each task can have a different IOPL. | 
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A task can change IOPL only with the POPF instruction; however, such changes are 
privileged. No procedure may change its IOPL unless it is running at privilege level 0. 
An attempt by a less privileged procedure to change the IOPL does not result in an 
exception; the IOPL simply remains unchanged. 


The POPF instruction also may be used to change the state of the IF flag (as can the 
CLI and STI instructions); however, changes to the IF flag using the POPF instruction 
are IOPL-sensitive. A procedure may change the setting of the IF flag with a POPF 
instruction. only if it runs with a CPL at least as privileged as the IOPL. An attempt by a 
less privileged procedure to change the IF flag does not result in an exception; the IF 
flag simply remains unchanged. . 


8.3.2 1/O Permission Bit Map 


The Intel486 processor can generate exceptions for references to specific I/O addresses. 
These addresses are specified in the I/O permission bit map in the TSS (see Figure 8-2). 
The size of the map and its location in the TSS are variable. The processor finds the I/O 


TASK STATE SEGMENT 


1/0 PERMISSION 
BIT MAP 


NOTE: BASE ADDRESS FOR 1/O BIT MAP 
MUST NOT EXCEED DFFF (HEXA- 
DECIMAL) . 


LAST BYTE OF BIT MAP MUST BE 
FOLLOWED BY A BYTE WITH ALL 
BITS SET. 
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Figure 8-2. I/O Permission Bit Map 
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permission bit map with the I/O map base’ address: in the TSS. The base address ‘is .a 
16-bit offset into the ‘TSS. This is an ‘offset to the beginning of ie bit meP ‘The. a of 
the TSS is the limit on. the size of the se aaa bit me | 


Because each task has its own TSS, each task has its own 1 VO permission bit imap. Access 
to individual uO pore can be: eranted. to. bndwadual tasks. . : ee | . 


if CPL < JOPL i in protected mode: then: the processor dllows We) eae to enter 
If CPL >IOPL,; or if the. processor. is. operating. in virtual 8086 mode, then the processor 
checks the I/O permission map. Each bit in the map corresponds to an I/O port byte 
address; for example, the control bit for address 41 (decimal)-in the I/O address:space is 
found at bit position 1 of the sixth byte in the bit map. The processor tests all the bits 
corresponding to the I/O port being addressed; for example, a doubleword operation 
tests four bits corresponding to four adjacent byte addresses: If any tested bit is set, a 
general- protechan exception is pera’ If all tested bits are clear, the I/O operation 
er se 4 aioe! eT oe. jt ee _ se es atte ea 


Because 1/0 ports. hil are - not aid to word and doubleword boundaries | are per- 
mitted, it is possible that the processor may need to access two bytes in the bit map when 
I/O permission is checked. For maximum speed, the processor has been designed to read. 
two bytes for every access to an I/O port. To prevent exceptions from being generated 
when the ports with the highest addresses are accessed, an extra byte needs to come. 
after the table. This byte must have all of.its bits set, and it must be within the segment 
limut. | | oa. 


It j is not necessary for thé 1/O permission bit map to srepreacii all the I/O addresses. I/O. 
addresses not spanned by the map are treated as if they had set bits in the map. For 
example, if the TSS segment limit is 10 bytes past the bit map base address, the map has 
11 bytes and the first 80 I/O ports are diet aa sab addresses in the I/O address 
space generate exceptions.  =—«s_— | ; 


If the I/O bit map base address is greater than or equal to the TSS segment limit, there 


is no I/O permission map, and all I/O instructions pee a The base address, 
must be less than or equal t to > ODEFFH. — 
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CHAPTER 9 | 
EXCEPTIONS AND INTERRUPTS 


Exceptions and interrupts are forced transfers of execution to a task or a procedure. The 
task or procedure is called a handler. Interrupts occur at random times during the exe- 
cution of a program, in response to signals from hardware. Exceptions occur when 
instructions are executed which provoke exceptions. Usually, the servicing of interrupts 
and exceptions is performed in a manner transparent to application programs. Interrupts 
are used to handle events external to the processor, such as requests to service periph- 
eral devices. Exceptions handle conditions detected by the processor in the course of 
executing instructions, such as division by 0. 


There are two sources for interrupts and two sources for exceptions: 


1. Interrupts 


0 Maskable interrupts, which are received on the INTR input of the Intel486 pro- 
cessor. Maskable interrupts do not occur unless the interrupt-enable flag (IF) is 
set. | 


0 Nonmaskable interrupts, which are received on the NMI (Non-Maskable Inter- 
rupt) input of the processor. The processor does not provide a mechanism to 
prevent nonmaskable interrupts. 


2. Exceptions 


eo Processor-detected exceptions. These are further classified as faults, traps, ‘and 
aborts. 


3. Programmed exceptions. The INTO, INT 3, INT n, and BOUND instructions may 
trigger exceptions. These instructions often are called ‘ ‘software interrupts,” but the 
processor handles them as i we, | | 


This chapter explains the features of the Intel486 processor wien: control and vespond 
to interrupts. 


9.1 EXCEPTION AND INTERRUPT VECTORS 


The processor associates an identifying number with each different type of miterrupes or 
exception. This number is called a vector. 


The NMI interrupt and the exceptions are assigned vectors in the range 0 through 31. 
Not all of these vectors are currently used by the processor; unassigned vectors in this 
range are reserved for possible future uses. Do not use unassigned vectors. 


The vectors for maskable interrupts are determined by hardware. External interrupt 
controllers (such as Intel’s 8259A Programmable Interrupt Controller) put the vector on 
the bus of the Intel486 processor during its interrupt-acknowledge cycle. Any vectors in 
the range 32 through 255 can be used. Table 9-1 shows the assignment of ee uen and 
interrupt vectors. 
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Table 9-1. Exception and Interrupt Vectors 


_ Divide Error 

Debug Exception 
NMI Interrupt 
Breakpoint ° 
INTO-detected Overflow 
BOUND Range Exceeded 
Invalid Opcode 
Device Not Available 
Double Fault aa 
CoProcessor Segment Overrun. 
Invalid Task State Segment 
Segment Not Present 
Stack Fault 
General Protection 
Page Fault 
(Intel reserved.. Do not use.) 
Floating-Point Error 
Alignment Check _ 
(Intel reserved. Do not use.) 

_ Maskable Interrupts 


0 
1 
2 
ae 
4 
5 
. 6 
7 
8 
9 
10 


—_— 
—_hk 


‘> NO OB OP 


Exceptions are classified as faults, traps, or aborts depending on the way they are 
reported and whether restart of the instruction which caused the exception is supported. 


Faults — A fault is an exception which is reported at the instruction boundary prior to the 
instruction in which the exception was detected. The fault is reported with the machine 
restored to a state which permits the instruction to be restarted. The return address for 
the fault handler points to the instruction which generated the fault, rather than the 
instruction following the faulting instruction. 


Traps—A trap is an exception which is reported at the instruction boundary immediately 
after the instruction in which the exception was detected. 


Aborts—An abort is an exception which does not always report the location of the 
instruction causing the exception and does not allow restart of the program which caused 
the exception. Aborts are used to report severe errors, such as hardware errors and 
inconsistent or illegal values in system tables. 


9.2 INSTRUCTION RESTART 


For most exceptions and interrupts, transfer of execution does not eke eae: until the 
end of the current instruction. This leaves the EIP register pointing at the instruction 
which comes after the instruction which was being executed when the exception or inter- 
rupt occurred. If the instruction has a repeat prefix, transfer takes place at the end of 
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the current iteration with the registers set:to execute the next iteration. But if the excep- 
tion is a fault, the processor registers are restored to the state they held before execution 
of the instruction began. This permits instruction restart. 


Instruction restart is used to handle exceptions which block access to operands. For 
example, an application program could make reference to data in a segment which is not 
present in memory. When the exception occurs, the exception handler must load the 
segment (probably from a hard disk) and resume execution beginning with the instruc- 
tion which caused the exception. At the time the exception occurs, the instruction may 
have altered the contents of some of the processor registers. If the instruction read an 
operand from the stack, it is necessary to restore the stack pointer to its previous value. 
All of these restoring operations are performed by the processor in a manner completely 
transparent to the application program. : 


When a fault occurs, the EIP register is restored to point to the instruction which 
received the exception. When the exception handler returns, execution resumes with this 
instruction. 


9.3 ENABLING AND DISABLING INTERRUPTS 


Certain conditions and flag scHines cause the processor to inhibit certain kinds of inter- 
rupts and ne 7 | 


9.3.1 NMI Masks Further NMls 


While an NMI interrupt handler is executing, the processor disables additional calls to 
the procedure or task which handles the interrupt until the next IRET instruction is 
executed. This prevents stacking up calls to the interrupt handler. It is recommended 
_ that interrupt gates be used for NMI’s in order to disable nested maskable interrupts, 
since an IRET instruction from the maskable-interrupt handler would re-enable NMI. 


9.3.2 IF Masks INTR 


The IF flag can turn off servicing of interrupts received on the INTR pin of the proces- 
sor. When the IF flag is clear, INTR interrupts are ignored; when the IF flag is set, 
INTR interrupts are serviced. As with the other flag bits, the processor clears the IF flag 
in response to a RESET signal. The STI and CLI instructions set and clear the IF flag. 


CLI (Clear Interrupt-Enable Flag) and STI (Set Interrupt-Enable Flag) put the IF flag 
(bit 9 in the EFLAGS register) ina known state. These instructions may be executed 
only if the CPL is.an equal or more privileged level than the IOPL. A general- een 
exception is s generated if they are executed with a lesser privileged level. | 
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The IF flag also is affected by the following operations: 


e The PUSHF instruction stores all flags on the stack, where. they can be ne and 
modified. The POPF instruction can be used to load the modified form back into the 
| EFLAGS register. 


e Task switches al the POPF and IRET instructions load the EFLAGS register 
therefore, they can be used to modify the setting of the IF flag. | : 


e Interrupts through interrupt gates automatically clear the IF flag, which disables 
interrupts. Caer gates are explained later in this pchap ie 


9.3.3 RF Masks Debug Faults 


The RF flag in the EFLAGS register can be used to turn off servicing of debug faults, If 
it is clear, debug faults are serviced; if it is set, they are ignored. This is used to suppress 
multiple calls to the een excepuon handler when a breakpoint occurs. 


For example, an instruction breakpoint may have been set for an instruction which ref- 
erences data in a segment which is not present in memory. When the instruction is 
executed for the first time, the breakpoint generates a debug exception. Before the 
debug handler returns, it should set the RF flag in the copy of the EFLAGS register 
saved on the stack. This allows the segment-not-present fault to be reported after the 
debug exception handler transfers execution back to the instruction. If the flag is not set, 
another debug exception occurs after the debug exception handler returns. | 


The processor sets the RF bit in the saved contents of the EFLAGS register when the 
other faults occur, so multiple debug exceptions are not generated when the instruction 
is restarted due to the segment-not-present fault. The processor clears its RF flag when 
the execution of the faulting instruction completes. This allows an instruction breakpoint 
to be generated for the following instruction. (See Chapter 11 for more information on 
debugging.) 


' 9.3.4 MOV or POP to SS Masks Some Exceptions —e | 


Software which needs to change stack segments often uses a pair of instructions; for 
example: 7 


MOV SS, AX 
MOV ESP, StackTop 


If an interrupt or exception occurs after the segment selector has been loaded but ‘before 
the ESP register has been loaded, these two parts of the logical address into the stack 
space are inconsistent for the duration of the interrupt or exception handler. « | 
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To prevent this situation, the Intel486 processor inhibits interrupts, debug exceptions, | 
and single-step trap exceptions after either a MOV to SS instruction or a POP to SS 
instruction, until the instruction boundary following the next instruction is reached. 
General-protection faults may still be generated. If the LSS instruction is used to modify 
the contents of the SS register, the problem does not occur. 7 


9.4 PRIORITY AMONG SIMULTANEOUS EXCEPTIONS AND 
INTERRUPTS 


If more than one exception or interrupt is pending at an instruction boundary, the pro- 
cessor services them in a predictable order. The priority among classes of exception and 
interrupt sources is shown in Table 9-2. The processor first services a pending exception 
or interrupt from the class which has the highest priority, transferring execution to the 
first instruction of the handler. Lower priority exceptions are discarded; lower priority 
interrupts are held pending. Discarded exceptions are re-issued when the interrupt han- 
dler returns execution to the point of interruption. 


9.5 INTERRUPT DESCRIPTOR TABLE 


The interrupt descriptor table (IDT) associates each exception or interrupt vector with a. 
descriptor for the procedure or task which services the associated event. Like the GDT 
and LDTs, the IDT is an array of 8-byte descriptors. Unlike the GDT, the first entry of 
the IDT may contain a descriptor. To form an index into the IDT, the processor scales 
the exception or interrupt vector by eight, the number of bytes in a descriptor. Because 


Table 9-2. Priority Among Simultaneous Exceptions and Interrupts 
Priority . | Descriptions 


Highest Debug Trap Exceptions from the last instruction 
(TF flag set, T bitin TSS set, or data breakpoint) 
Debug Fault Exceptions for the next instruction (code breakpoint) 
Faults from fetching next instruction (Segment-Not-Present Fault or General- 
Protection Fault) 
Non-Maskable Interrupt 
Maskable Interrupt 
Faults from instruction decoding (Illegal Opcode, instruction too long, or 
privilege violation) if WAIT instruction, Coprocessor-Not-Available 
Exception (TS and.MP bits of CRO set) if ESC instruction, Coprocessor-Not- 
Available 
Exception (EM or TS bits of CRO set) if WAIT or ESC instruction, 
Coprocessor-Error 
Exception (Error# pin asserted) ~ 
Segment-Not-Present Faults, Stack Faults, and General-Protection Faults for 
memory operands 
Alignment Faults for memory operands 


Lowest 7 Page Faults for memory operands — 
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there are only 256 vectors, the IDT need not contain more than 256 descriptors. It can 
contain fewer than 256 descriptors: descriptors are required only for the ad vec- 
tors which may occur. , , 


The IDT may reside sapiens: in physical memory. As istic 9- 1 os the processor 
locates the IDT using the IDTR register. This register holds both a 32- bit base address 
and 16-bit limit for the IDT. The LIDT and SIDT instructions load and store the con- 
tents of the IDTR register. Both instructions have one operand, which is the address of 
six bytes in memory. _ 


If a vector references a descriptor beyond the limit, the processor enters shutdown 


mode. In this mode, the processor stops executing instructions until an NMI interrupt is 
received or reset initialization is invoked. The processor generates a special bus cycle to 


IDTR REGISTER 


47 16 «15 0 


_ IDT BASE ADDRESS | IDT LIMIT | 


INTERRUPT. 
DESCRIPTOR TABLE 


INTERRUPT | 
INTERRUPT #N 


GATE FOR 
INTERRUPT #3 


GATE FOR 
INTERRUPT #2 


‘GATE FOR 
INTERRUPT #1 
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Figure 9-1. IDTR Register Locates IDT in Memory 
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indicate it has entered shutdown mode. Software designers may need to be aware of the 
response of hardware to receiving this signal. For example, hardware may turn on an 
indicator light on the front panel, generate an NMI interrupt to record diagnostic infor- 
mation, or invoke reset initialization. | 


' LIDT (Load IDT register) loads the IDTR register with the base address and limit held 
in the memory operand. This instruction can be executed only when the CPL is 0. It 
normally is used by the initialization code of an operating system when creating an IDT. 
An operating system also may use it to change from one IDT to another. — | 


SIDT (Store IDT register) copies the base and limit value stored in IDTR to memory. 
This instruction can be executed at any privilege level. 


9.6 IDT DESCRIPTORS 


The IDT may contain any of three kinds of descriptors: 
e Task gates — 
o Interrupt gates 


e Trap gates 


Figure 9-2 shows the format of task gates, interrupt gates, and trap gates. (The task gate 
in an IDT is the same as the task gate in the GDT or an LDT already discussed in 
Chapter 7.) | 7 | 


9.7 INTERRUPT TASKS AND INTERRUPT PROCEDURES 


Just as a CALL instruction can call either a procedure or a task, so an exception or 
interrupt can “call” an interrupt handler as either a procedure or a task. When respond- 
ing to an exception or interrupt, the processor uses the exception or interrupt vector to 
index to a descriptor in the IDT. If the processor indexes to an interrupt gate or trap 
gate, it calls the handler in a manner similar to a CALL to a call gate. If the processor 
finds a task gate, it causes a task switch in a manner similar to a CALL to a task gate. — 


9.7.1 Interrupt Procedures 


An interrupt gate or trap gate indirectly references a procedure which runs in the con- © 
text of the currently executing task, as shown in Figure 9-3. The selector of the gate 
points to an executable-segment descriptor in either the GDT or the current LDT. The 
offset field of the gate descriptor points to the beginning of the exception or interrupt 
handling procedure. 


The Intel486 processor calls an exception or interrupt handling procedure in much the 
Same manner as a procedure call; the differences are explained in the following sections. 
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TASK GATE 
1111 
65 43210987 


TSS SEGMENT SELECTOR | RESERVED 


INTERRUPT GATE 


SEGMENT SELECTOR . OFFSET 15:00 


TRAP GATE 


OFFSET 31:16 | Hi feo RESERVED 


SEGMENT SELECTOR . OFFSET 15: 00. 


DPL DESCRIPTOR PRIVILEGE LEVEL 

OFFSET OFFSET TO PROCEDURE ENTRY POINT 

P SEGMENT PRESENT BIT 

RESERVED DONOT USE 

SELECTOR SEGMENT SELECTOR FOR DESTINATION 
CODE SEGMENT 
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Figure 9-2. IDT Gate Descriptors 
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DESTINATION 
CODE SEGMENT 


INTERRUPT 
PROCEDURE 


INTERRUPT OR 
INTERRUPT TRAP GATE 
VECTOR 


SEGMENT SELECTOR 


GDT OR LDT BASE ADDRESS 


SEGMENT 
DESCRIPTOR 
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Figure 9-3. Interrupt Procedure Call 
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9.7.1.1 STACK OF INTERRUPT PROCEDURE 


Just as with a transfer of execution using a CALL instruction, a transfer to an exception 
or interrupt handling procedure uses the stack to store the processor state. As Figure 9-4 
shows, an interrupt pushes the contents of the EFLAGS register onto the stack before 
pushing the address of the interrupted instruction. 


Certain types of exceptions also push an error code on the stack. An exception handler 
can use the error code to help diagnose the exception. 


NO PRIVILEGE LEVEL : NO PRIVILEGE LEVEL 
CHANGE, NO ERROR CODE ~ CHANGE, WITH ERROR CODE 


a 


PRIVILEGE LEVEL | PRIVILEGE LEVEL 
CHANGE, NO ERROR CODE _. ' CHANGE, WITH ERROR CODE 


TSS 
> 
OLDESP | | i OLD ESP 
- OLD EFLAGS OLD EFLAGS 


OLD CS | | OLD CS 
OLD EIP — NEW ESP OLD EIP 


_ ERROR CODE NEW ESP 
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Figure 9-4. Stack Frame After Exception or Interrupt | 
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9.7.1.2 RETURNING FROM AN INTERRUPT PROCEDURE 


An interrupt procedure differs from a normal procedure in the method of leaving the 
procedure. The IRET instruction is used to exit from an interrupt procedure. The IRET 
instruction is similar to the RET instruction except that it increments the contents of the 
ESP register by an extra four bytes and restores the saved flags into the EFLAGS reg- 
ister. The IOPL field of the EFLAGS register is restored only if the CPL is 0. The IF 
flag is changed only if CPL s IOPL. 


9.7.1.3 FLAG USAGE BY INTERRUPT PROCEDURE 


Interrupts using either interrupt gates or trap gates cause the TF flag to be cleared after 
its current value is saved on the stack as part of the saved contents of the EFLAGS 
register. In so doing, the processor prevents instruction tracing from affecting interrupt 
response. A subsequent IRET instruction restores the TF flag to the value in the saved 
contents of the EFLAGS register on the stack. 


The difference between an interrupt gate and a trap gate is its effect on the IF flag. An 
interrupt which uses an interrupt gate clears the IF flag, which prevents other interrupts 
from interfering with the current interrupt handler. A subsequent IRET instruction 
restores the IF flag to the value in the saved contents of the EFLAGS register on the 
stack. An interrupt through a trap gate does not change the IF flag. 


9.7.1.4 PROTECTION IN INTERRUPT PROCEDURES 


The privilege rule which governs interrupt procedures is similar to that for procedure 
calls: the processor does not permit an interrupt to transfer execution to a procedure in 
a less privileged segment (numerically greater privilege level). An attempt to violate this 
rule results in a general-protection exception. 


Because interrupts generally do not occur at predictable times, this privilege rule effec- 
- tively imposes restrictions on the privilege levels at which exception and interrupt han- 
dling procedures can run. Either of the following techniques can be used to keep the 
privilege rule from being violated. 


e The exception or interrupt handler can be placed in a conforming code segment. This 
technique can be used by handlers for certain exceptions (divide error, for example). 
These handlers must use only the data available on the stack. If the handler needs 
data from a data segment, the data segment would have to have privilege level 3, 
which would make it unprotected. | 


e The handler can be placed in a code segment with privilege level 0. This handler 
would always run, no matter what CPL the program has. 
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9.7.2 Interrupt Tasks. 


A task gate in the IDT indirectly references a task, as Figure 9-5 illustrates. The segment 
selector i in the task gate addresses a TSS descriptor i in the GDT. 


INTERRUPT | TASK GATE 


VECTOR 


TSS SELECTOR 


TSS BASE ADDRESS 


TSS 
DESCRIPTOR. 
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Figure 9-5. Interrupt Task Switch 
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When an exception or interrupt calls a task gate in the IDT, a task switch results. 
Handling an interrupt with a separate task offers two advantages: 


e The entire context is saved automatically. 


e The interrupt handler can be isolated from other tasks by giving it a separate address 
space. This is done by giving it a separate LDT. 


A task switch caused by an interrupt operates in the same manner as the other task 
switches described in eae 7. The interrupt task returns to the interrupted task by 
executing an IRET instruction. 


Some exceptions return an error code. If the task switch is caused by one of these, the 
processor pushes the code onto the stack corresponding to the privilege level of the 
interrupt handler. 


When interrupt tasks are used in an operating system for the Intel486 processor, there 
are actually two mechanisms which can create new tasks: the software scheduler (part of 
the operating system) and the hardware scheduler (part of the processor’s interrupt 
mechanism). The software scheduler needs to accommodate interrupt tasks which may 
be generated when interrupts are enabled. 


9.8 ERROR CODE 


With exceptions related to a specific segment, the processor pushes an error code onto 
the stack of the exception handler (whether it is a procedure or task). The error code 
has the format shown in Figure 9-6. The error code resembles a segment selector; how- 
ever instead of an RPL field, the error code contains two one-bit fields: 


1. The processor sets the EXT bit if an event external to the program caused the 
exception. 


2. The processor sets the IDT bit if the index portion of the error ‘code refers to a gate. 
descriptor in the IDT. 


If the IDT bit is not set, the TI bit indicates whether the error code refers to the GDT 
(TI bit clear) or to the LDT (TI bit set). The remaining 13 bits are the upper bits of the 
selector for the segment. In some cases the error code is null (i.e., all bits in the lower 
word are clear). 


1 
5 3 


3 
1 
UNDEFINED — SELECTOR 
DURING TEST INDEX 


Figure 9-6. Error Code 
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The error code is pushed on the stack as a doubleword. This is done to keep the stack 
aligned on addresses which are multiples of four. The upper half of the doubleword is 
reserved. : 


9.9 EXCEPTION CONDITIONS 


The following sections describe conditions which generate exceptions. Each description 
classifies the exception as a fault, trap, or abort. This classification provides information 
needed by system programmers for restarting the procedure in which the exception 
occurred: 


e Faults—The saved contents of the CS and EIP registers point to the instruction which 
generated the fault. _— 


e Traps—The saved contents of the CS and EIP registers stored when the trap occurs 

' point to the instruction to be executed after the instruction which generated the trap. 
If a trap is detected during an instruction which transfers execution, the saved con- 
‘tents of the CS and EJP registers reflect the transfer. For example, if a trap is 
‘detected in a JMP instruction, the saved contents of the CS and EIP registers point to 
the destination of the JMP instruction, not to the instruction at the next address 
above the JMP instruction. 


e Aborts—An abort is an exception which permits neither precise location of the 
instruction causing the exception nor restart of the program which caused the excep- 
tion. Aborts are used to report severe errors, such as Snarawate errors: and inconsis- 

tent or illegal values in system tables. . 


9.9.1 | Interrupt o— oe Error 


The divide-error fault occurs during a DIV or an IDIV instruction when the divisor is 0. 


9.9.2 Interrupt 1—Debug Exceptions 

The processor generates a debug. exception for a number of conditions; whether the 
exception is a fault or a trap depends on the condition, as shown below: _ 

e Instruction address breakpoint fault 

e Data address breakpoint trap 

e General detect fault 

e Single-step trap 

e Task-switch breakpoint trap 

The processor does not push an error code for this exception. An exception handler can 


examine the debug registers to determine which condition caused the exception. See 
Chapter 11 for more detailed information about debugging and the debug registers. 
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9.9.3 Interrupt 3—Breakpoint 


The INT 3 instruction generates a breakpoint trap. The INT 3 instruction is one byte 
_ long, which makes it easy to replace an opcode in a code segment in RAM with the 

breakpoint opcode. The operating system or a debugging tool can use a data segment 
mapped to the same physical address space as the code segment to place an INT 3 
instruction in places where it is desired to call the debugger. Debuggers use breakpoints 
as a way to suspend program execution in order to examine registers, variables, etc. 


The saved contents of the CS and EIP registers point to the byte following the break- 
point. If a debugger allows the suspended program to resume execution, it replaces the 
INT 3 instruction with the original opcode at the location of the breakpoint, and it 
decrements the saved contents of the EIP register before returning. See Chapter 11 for © 
more information on debugging. | 


9.9.4 Interrupt 4— Overflow 


The overflow trap occurs when the processor executes an INTO instruction with the OF 
flag set. Because signed and unsigned arithmetic both use some of the same instructions, 
the processor cannot determine when overflow actually occurs. Instead, it sets the OF 
flag when the results, if interpreted as signed numbers, would be out of range. When 
doing arithmetic on signed operands, the OF Hag can be tested directly or the INTO 
instruction can be used. 


9.9.5 Interrupt 5—Bounds Check 


~The bounds-check fault is generated when the processor, while executing a BOUND 
instruction, finds that the operand exceeds the specified limits. A program can use the 
BOUND instruction to check a signed a) index against signed limits defined in a 
block of memory. 


9.9.6 Interrupt 6—Invalid Opcode 


The invalid-opcode fault is generated when an invalid opcode is detected by the execu- 
tion unit. (The exception is not detected until an attempt is made to execute the invalid 
opcode; i.e., prefetching an invalid opcode does not cause this exception.) No error code 
is pushed on the stack. The exception can be handled within the same task. 


This exception also occurs when the type of. operand is invalid for the given opcode. 
Examples include an intersegment JMP instruction using a register ae or an LES 
instruction with a register source operand. . 
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A third condition which generates this exception is the use of. the LOCK prefix with an 
instruction which may not be locked. Only certain instructions may be used with bus 
locking, and only forms of these instructions which write to a destination in memory may 
be used. All other uses of the LOCK prefix generate an invalid- -opcode exception. 


NOTE 


‘Table 9- 3 isa list of undefined opcodes that are reserved by Intel. These opcodes | 
do not generate interrupt 6. 


9.9.7 Interrupt 7—Device Not Available — 


The device-not-available fault is generated by either of two conditions: 
e The processor executes an ESC instruction, and the EM bit of the CRO sesisier is set. 


e The processor executes a WAIT instruction (with MP= me or ESC instruction, and 
the TS bit of the CRO register is set. = | 


Interrupt 7 thus occurs when the programmer wants ESC instructions to be handled by 
software (EM set), or when a WAIT or ESC instruction is encountered and the context 
of the ene. point v unit is different from that of the current oe 


On the 286 and Intel386 processors, the MP bit in the CRO cdaietet is aise with the Ts 


bit to determine if WAIT instructions should generate exceptions. noe programs running 
on the Intel486 processor, the MP bit should always be set. | 


Table 9-3. Intel Reserved Opcodes 


Single Byte 
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9.9.8 Interrupt 8— Double Fault 


Normally, when the processor detects an exception while trying to call the handler for a 
prior exception, the two exceptions can be handled serially. If, however, the processor 
cannot handle them serially, it signals the double-fault exception instead. To determine 
when two faults are to be signalled as a double fault, the Intel486 processor divides the 
exceptions into three classes: benign exceptions, contributory exceptions, and page 
faults. Table 9-4 shows this classification. 


When two benign exceptions or interrupts occur, or one benign and one contributory, 
the two events can be handled in succession. When two contributory events occur, they. 
cannot be handled, and a double-fault exception is generated. 


If a benign or contributory exception is followed by a page fault, the two events can be 
handled in succession. This is also true if a page fault is followed by a benign exception. 
However if a page fault is followed by a contributory exception or aueeaey page aut a 
double-fault abort is generated. 


An initial segment or page fault encountered while prefetching instructions is outside 
the domain of Table 9-4. Any further faults generated while the processor is attempting 
to transfer control to the appropriate fault handler could still lead to a double-fault 
sequence. 


The processor always pushes an error code onto the stack of the double-fault handler; 
however, the error code is always 0. The faulting instruction may not be restarted. If any 
other exception occurs while attempting to call the double-fault handler, the processor 
enters shutdown mode. This mode is similar to the state following execution of a HLT 
instruction. No instructions are executed until an NMI interrupt or a RESET signal is 


Table 9-4. Interrupt and Exception Classes 


Debug Exceptions 
NMI Interrupt 
Breakpoint - 

~ Overflow , 
Bounds Check 
Invalid Opcode 
Device Not Available 
Floating-Point Error 


Benign 
Exceptions 
and Interrupts 


{ 
2 
3 
4 
5 
6 
7 
6 


1 


Divide Error 

Invalid TSS; 
Segment Not Present 
Stack Fault 

General Protection 


Contributory 
Exceptions 
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received. If the shutdown occurs while the processor is executing an NMI interrupt 
handler, then only a RESET can restart the processor. The processor generates a special 
bus cycle to indicate it has entered shutdown mode. | 


9.9.9 Interrupt 9—(Intel reserved. Do not use.) 


Interrupt 9, the coprocessor-segment overrun abort, is generated in Intel386 CPU/ 
Intel387 math coprocessor systems when the Intel386 CPU detects a page or segment 
violation while transferring the middle portion of an Intel387 math coprocessor operand. 
This interrupt is not generated by the Intel486 processor; interrupt 13 occurs instead. 


9.9.10 Interrupt 10—Invalid TSS 


An invalid-TSS fault is “generated if a task switch to a segment with an invalid TSS is 
attempted. A TSS is invalid in the cases shown in Table 9-5. An error code is pushed 
onto the stack of the exception handler to help identify the cause of the fault. The EXT 
bit indicates whether the exception was caused by a condition outside the control of the 
program (e.g., if an external interrupt using a task gate attempted a task switch to an 
invalid TSS). 


This fault can occur either in the context of the original task or in the context of the new 
task. Until the processor has completely verified the presence of the new TSS, the excep- 
tion occurs in the context of the original task. Once the existence of the new TSS is 
verified, the task switch is considered complete; i.e., the TR register is loaded with a 
selector for the new TSS and, if the switch is due to a CALL or interrupt, the Link field 
of the new TSS references the old TSS. Any errors discovered by the processor after this 
point are handled in the context of the new task. 


To ensure a TSS is available to process the exception, the handler for an invalid-TSS 
exception must be a task called using a task gate. 


Table 9-5. Invalid TSS Conditions 


TSS segment TSS segment limit less than 67H 

LDT segment Invalid LDT or LDT not present 

Stack segment Stack segment selector exceeds descriptor table limit 
Stack segment Stack segment is not writable 

Stack segment _ Stack segment DPL not compatible with CPL 


Stack segment Stack segment selector RPL not compatible with CPL 
Code segment Code segment selector exceeds descriptor table limit 
Code segment Code segment is not executable 
Code segment | Non-conforming code segment DPL not equal to CPL 
Code segment Conforming code segment DPL greater than CPL 

- Data segment. Data segment selector exceeds descriptor Bee limit 
Data segment - Data segment not readable 
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9.9.11 Interrupt 11—Segment Not Present 


‘The segment-not-present fault is generated when the processor detects that the present 
bit of a descriptor is clear. The processor can generate this fault in any of these cases: 


e While attempting to load the CS, DS, ES, FS, or GS registers; loading the SS register, 
however, causes a Stack fault. 


e While attempting to load the LDT register using an LLDT instruction; loading the 
LDT register during a task switch operation, however, causes an invalid-TSS 
exception. 


e While attempting to use a gate descriptor which is marked segment-not-present. 


This fault is restartable. If the exception handler loads the segment and returns, the 
interrupted program resumes execution. 


If a segment-not-present exception occurs during a task switch, not all the steps of the 
task switch are complete. During a task switch, the processor first loads all the segment 
registers, then checks their contents for validity. If a segment-not-present exception is 
discovered, the remaining segment registers have not been checked and therefore may 
not be usable for referencing memory. The segment-not-present handler should not rely 
on being able to use the segment selectors found in the CS, SS, DS, ES, FS, and GS 
registers without causing another exception. The exception handler should check all 
segment registers before trying to resume the new task; otherwise, general protection 
faults may result later under conditions which make diagnosis more difficult. There are 
three ways to handle this case: 


1. Handle. the segment-not-present fault with a task. The task switch back to the inter- 
rupted task causes the processor to check the registers as it loads them from the 
TSS. | 


2. Use the PUSH and POP instructions on all sepment registers. Each POP instruction 
causes the processor to check the new contents of the segment register. 


3. Check the saved contents of each segment register in the TSS, simulating the test 
which the processor makes when it loads a segment register. 


This exception pushes an error code onto the stack. The EXT bit of the error code is set 
if an event external to the program caused an interrupt which subsequently referenced a 
not-present segment. The IDT bit is set if the error code refers to an IDT entry (e.g., an 
INT instruction referencing a not-present gate). 


An operating system typically uses the segment-not-present exception to implement vir- 
tual memory at the segment level. A not-present indication in a gate descriptor, however, 
usually does not indicate that a segment is not present (because gates do not necessarily 
correspond to. segments). Not-present gates may be used by an operating system to 
trigger exceptions of special significance to the operating system. 
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9.9.12 Interrupt 12—Stack Exception — 


A stack fault is generated under two conditions: 


e Asa result of a limit violation in any operation which refers to the SS. register. This 
includes stack-oriented instructions such as POP, PUSH, ENTER, and LEAVE, as 
well as other memory references which implicitly use the stack (for example, MOV 
AX, [BP +6]). The ENTER instruction generates this exception when there is too 
little space for allocating local variables. 


e When attempting to load the SS register with a descriptor eee is marked segment- 
not-present but is otherwise valid. This can occur in a task switch, a CALL instruction 
to a different privilege level, a return to a different privilege level, an LSS instruction, 
or a. MOV or POP instruction to the SS register. 


When the processor detects a stack exception, it pushes an error code onto the stack of 
the exception handler. If the exception is due to a not-present stack segment or to 
overflow of the new stack during an interlevel CALL, the error code contains a selector 
to the segment which caused the exception (the exception handler can test the present 
bit in the descriptor to determine which exception OceuTiE?); OUTCEWASG: the error Ecoue 
is . Gs : oe 


An instruction sepeneralitis this fault is restartable { in all c cases. The return saidites pushed 
onto the exception handler’s stack points to the instruction which needs to be restarted. 
This instruction usually is the one which caused the exception; however, in the case of a 
stack exception from loading a not-present stack-segment descriptor Curng a task 
switch, the indicated instruction iS oe first instruction of the new task. , 


When a stack stecpten occurs dane a task switch, the segment registers may not be 
usable for addressing memory. During a task switch, the selector values are loaded 
before the descriptors are checked. If a stack exception is generated, the remaining 
segment registers have not been checked and may cause exceptions if they are used. The 
stack fault handler should not expect to use the segment selectors found in the CS, SS, 
DS, ES, FS, and GS registers without causing another exception. The exception handler 
should check all segment registers before trying to resume the new task; otherwise, 
general protection faults may result later under conditions where diagnosis is more 
difficult. | : 


9.9.1 3 interrupt 13 — General Protection 


All protection violations hich do ‘not cause another exception cause a general- 
protection exception. This includes (but is not limited to): 


e Exceeding the segment limit when using the CS, DS, ES, FS, or GS aaa 
e Exceeding the segment limit when referencing a descriptor table. 

e Transferring execution to a segment which is not executable. — 

° Writing to a read-only data segment or a code segment. | : 


e Reading from an execute-only code segment. 
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e Loading the SS register with a selector for a read-only segment (unless the selector 
comes from a TSS during a task switch, in which case an invalid-TSS exception 
occurs). 


e Loading the SS, DS, ES, FS, or GS register with a selector for a system segment. 


e Loading the DS, ES, FS, or GS register with a selector for an execute-only code 
segment. 


@ Loading the SS register with the selector of an executable segment. 


o Accessing memory using the DS, ES, FS, or GS register when it contains a null 
selector. 


e Switching to a busy task. 
o Violating privilege rules. 


o Exceeding the instruction length limit of 15 bytes (this only can occur when redun- 
dant prefixes are placed before an instruction). 


o Loading the CRO register with a set PG bit (paging enabled) and a clear PE bit 
(protection disabled). 


o Interrupt or exception through an interrupt or trap gate from virtual-8086 mode to a 
handler at a privilege level other than 0. | 


_ The general-protection exception is a fault. In response to a general-protection excep- 
tion, the processor pushes an error code onto the exception handler’s stack. If loading a 
descriptor causes the exception, the error code contains a selector to the descriptor; 
otherwise, the error code is null. The source of the selector in an error code may be any 
‘of the following: 


1. An operand of the instruction. 
2. A selector from a gate which is the operand of the instruction. 


3. A selector from a TSS involved in a task switch. 


9.9.14 Interrupt 14—Page Fault 


A page fault occurs when paging is enabled (the PG bit in the CRO register is set) and 
the processor detects one of the following conditions while translating a linear address to 
a physical address: 


o The page-directory or page-table entry needed for the address translation has a clear 
Present bit, which indicates that a page table or the page containing the operand is 
not present in physical memory. 


o The procedure does not have sufficient privilege to access the indicated page. 


If a page fault is caused by a page level protection violation, the access bits in both the 
page-table and page-directory are set when the faults occur. 
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The processor provides the page fault handler two items ‘of information which aid in 
diagnosing the exception and recovering from it: | 


e An error code on the stack. The error code for a page fault has a format different 
from that for other exceptions (see Figure 9- 7). The error code tells the exception 
handler three things: 


1. Whether the exception was due to a not-present page or to an access rights 
violation. 


2. Whether the processor was executing at user or supervisor level 2 at the time of the 
exception. | ? 


3. Whether the memory access which caused the exception was a read or write. 


e The contents of the CR2 register. The processor loads the CR2 register with the 
- 32-bit linear address which generated the exception. The exception handler can use 
this address to locate the corresponding page directory and page table entries. If 
another page fault occurs during execution of the page fault handler, the handler will 
push the contents of the CR2 register onto the stack. 


FIELD | VALUE | DESCRIPTION a, 
The access causing the fault originated when 7 


the processor was executing in supervisor mode. 


The access causing the fault originated when 
the processor was executing in user mode. 


The access causing the fault was a read. 
The access causing the fault was a write. 
The fault was caused by a not-present page. 


The fault was caused by a page-level 
protection violation 
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Figure 9-7. Page Fault Error Code — 
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9.9.14.1 PAGE FAULT DURING TASK SWITCH 


These operations during a task switch cause access to memory: 
1. Write the state of the original task in the TSS of that task. 
2. Read the GDT to locate the TSS descriptor of the new task. 


3. Read the TSS of the new task to check the types of segment descriptors from the 
TSS. 


4. May read the LDT of the new task in order to verify the segment registers stored in 
_ the new TSS. | 


A page fault can result from accessing any of these operations. In the last two cases the 
exception occurs in the context of the new task. The instruction pointer refers to the next 
instruction of the new task, not to the instruction which caused the task switch (or the 
last instruction to be executed, in the case of an interrupt). If the design of the operating 
system permits page faults to occur during task-switches, the page- -fault handler should 
be called through a task gate. 


9.9.14.2 PAGE FAULT WITH INCONSISTENT STACK POINTER | 


Special care should be taken to ensure that a page fault does not cause the processor to 
use an invalid stack pointer (SS:ESP). Software written for Intel 16-bit processors) often 
uses a pair of instructions to change to a new stack; for example: 


MOV SS, AX 
MOV SP, StackTop 


With the Intel486 processor, because the second instruction accesses memory, it is pos- 
sible to get a page fault after the selector in the SS segment register has been changed 
but before the contents of the SP register have received the corresponding change. At 
this point, the two parts of the stack pointer SS:SP (or, for 32-bit programs, SS:ESP) are 
inconsistent. The new stack segment is being used with the old stack pointer. 


The processor does not use the inconsistent stack pointer if the handling of the page 
fault causes a stack switch to a well defined stack (i.e., the handler is a task or a more 
privileged procedure). However, if the page fault occurs at the same privilege level and 
in the same task as the page fault handler, the processor will attempt to use the stack 
indicated by the inconsistent stack pointer. | 


In systems which use paging and handle page faults within the faulting task (with trap or 
interrupt gates), software executing at the same privilege level as the page fault handler 
should initialize a new stack by using the LSS instruction rather than an instruction pair 
shown above. When the page fault handler is running at privilege level 0 (the normal 
case), the problem is limited to programs which run at privilege level 0, typically the 
kernel of the operating system. 7 | 
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9.9.15 Interrupt 16 — Floating-Point Error 


A floating-point-error fault signals an error generated by a floating- -point arithmetic 
instruction. Interrupt 16 can occur only if the NE bit in the CRO register is set. See 
Chapter 16 for more information on floating-point error reporting. 


9.9.16 Interrupt 17 —Alignment Check 


An alignment-check fault can be generated for access to unaligned operands. For exam- 
ple, a word stored at an odd byte address, or a doubleword stored at an address which is 
not an integer multiple of four. Table 9-6 lists the alignment requirements by data type. 
To enable alignment checking, the following conditions must be true: , 


e AM bit in the CRO register is set 
e AC flag is is set 
© CPL is 3 (user mode) 


Alignment checking is useful for programs which use the low two bits of pointers to 
identify the type of data structure they address. For example, a subroutine in a math 
library may accept pointers to numeric data structures. If the type of this structure is 
assigned a code of 10 (binary) in the lowest two bits of pointers to this type, math 
_ subroutines can correct for the type code by adding a displacement of —10 (binary). If 
the subroutine should ever receive the wrong pointer type, an unaligned reference would 
be produced, which would generate an exception. 


Alignment-check faults are generated only in user mode (privilege level 3). Memory 
references which default to privilege level 0, such as segment descriptor loads, do not 
generate alignment-check faults, even when caused by a memory reference made in user 
mode. 


Table 9-6. Alignment Requirements by Data Type 


Data Type - Address Must Be Divisible By - 


WORD 
‘DWORD 
Short REAL 
Long REAL 
TEMPREAL — 
Selector 


48-bit Segmented Pointer 
32-bit Flat Pointer . | 
32-bit Segmented Pointer 
48-bit ‘‘Pseudo-Descriptor” _ ) | | | | a 
FSTENV/FLDENV save area _ 4or 2, depending on operand size 
FSAVE/FRSTOR save area | | | 4 or 2, depending on operand size 
Bit String | : 6 SCE a, 4 ma 


ANYOBRANMO@OA AP 
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Storing a 48-bit pseudo-descriptor (the memory image of the contents of a descriptor 
table base register) in user mode can generate an alignment-check fault. Although user- 
mode programs do not normally store pseudo-descriptors, the fault can be avoided by 
aligning the pseudo-descriptor to an odd word address (i.e., an address which is 
2 MOD 4). 


FSAVE and FRSTOR instructions generate unaligned references which can cause ~ 
alignment-check faults. These instructions are rarely needed by application programs. 


9.10 EXCEPTION SUMMARY 


Table 9-7 summarizes the exceptions recognized by the Intel486 processor. 


9.11 ERROR CODE SUMMARY 


Table 9-8 summarizes the error information which is available with each exception. 
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| Table 9-7. Exception Summary 


_ Return Address 
Points to Faulting — 
_” Instruction? 


Vector 
Number 


| ar es ‘Exception | | Source of the © 
Description f | 
Type Exception 


Division by Zero DIV and IDINV instruc- 
| cc a tions — | 


Debug Exceptions |. : es a ie wi _ | Any code or data refer- 
ence 


Breakpoint 7 TRAP INT 3 instruction 
Overflow TRAP | INTO instruction 
Bounds Check — ts a8 | | FAULT. BOUND instruction 
Invalid Opcode FAULT Reserved Opcodes 


Device Not | FAULT ESC and WAIT instruc- 
Available tions 


Double Fault = A es | | ABORT... | Any instruction — 


Invalid TSS FAULT JMP, CALL, IRET 
instructions, interrupts, 
and exceptions 


Segment Not Present | FAULT Any instruction which 
changes segments 


Stack Fault: — 12 FAULT © Stack operations 


General Protection 13 FAULT/TRAP® | Any code or data refer- 
ence 


Page Fault 14 | FAULT Any code or data refer- 
| | ence 


Floating-Point Error 16 FAULT* ESC and WAIT instruc- 
tions 


Alignment Check 17 FAULT Any data reference » 
Software Interrupt 0 to 255 TRAP INT rn instructions 


1. Debug exceptions are either traps or faults. The exception handler can distinguish between traps and 
faults by examining the contents of the DR6 register. 


2. Restartability is conditional during task switches as documented in section 7.5. 


3. All general-protection faults are restartable. If the fault occurs while attempting to call the handler, the 
interrupted program is restartable, but the interrupt may be lost. 


4, Floating-point errors are not reported until the first ESC or WAIT instruction following the ESC instruction 
which generated the error. 
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Table 9-8. Error Code Summary 


Divide Error No 
Debug Exceptions No 
Breakpoint No 
Overflow No 
Bounds Check No 
Invalid Opcode No 
Device Not Available No 
Double Fault Yes (always zero) 
Invalid TSS | Yes 
Segment Not Present Yes 
Stack Fault Yes 
General Protection Yes 
Page Fault | Yes 
Floating-Point Error No 
Alignment Check Yes (always zero) 
Software Interrupt No 
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CHAPTER 10 
INITIALIZATION 


The Intel486 processor has an input, called the RESET pin, which invokes reset initial- 
ization. After RESET is asserted, some registers of the Intel486 processor are set to. 
known states. These known states, such as the contents of the EIP register, are sufficient 
to allow software to begin execution. Software then can build the data structures in 
memory, such as the GDT and IDT ee which are used by en and application 
software. 


Hardware asserts the RESET signal at power-up. Hardware may assert this -signal at 
other times. For example, a button may be provided for manually invoking reset initial- 
ization. Reset also may be the response of hardware to receiving a halt or shutdown 
indication. 


After reset initialization, the DH register holds a number which identifies the processor 
type. Binary object code can be made compatible with other Intel processors by using 
this number to select the correct initialization software. Note the Intel486 processor has 
several processing modes. It begins execution in a mode which emulates an 8086 proces- 
sor, called real-address mode. If protected mode is to be used (the mode in which the 
32-bit instruction set is available), the initialization software changes the setting of a 
mode bit in the CRO register. | 


10.1 PROCESSOR STATE AFTER RESET 


A self test may be requested at power-up. The self test is requested by asserting the 
AHOLD input during the falling edge of the RESET signal. It is the responsibility of the 
hardware designer to provide the request for self test, if desired. If the self test is 
selected, it takes about 27° clock periods to complete. (Intel reserves the right to change 
the exact number of periods without notification.) : 


The EAX register is clear if the Intel486 processor passed the test. A non-zero value in | 
the EAX register after self test indicates the processor is faulty. If the self test is not 
requested, the contents of the EAX register after reset initialization are undefined (pos- 
sibly non-zero). The DX register holds a component identifier and revision number after 
reset initialization, as shown in Figure 10-1. The DH register contains the value 4, which 
indicates an Intel486 processor. The DL register contains a “unique identifier of the 
revision level. | 


The state of the CRO register following power-up is shown i in Figure 10-2. These states 
put the processor into real-address mode with paging disabled. : 


The state of the EBX, ECX, ESI, EDI, EBP, ESP, GDTR, LDTR, TR, debug meseicis 
(other than DR7), and floating-point operand stack is undefined following power-up. 
Software should not depend on any undefined states. The state of the flags and other 
registers following power-up is shown in Table 10-1. | 
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EDX REGISTER _———_____——»| 


|< px RecisteR ————> | 


11 : | 
6 5. 8 7 0 
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Figure 10-1. Contents of the EDX Register After Reset 


———Q PAGING DISABLED _ 
—1 CACHING DISABLED ———0 ALIGNMENT CHECK DISABLED 
1 NOT WRITE-THROUGH 0 WRITE-PROTECT DISABLED 
DISABLED \ | 


0 ESC INSTRUCTIONS NOT TRAPPED 
0 WAIT INSTRUCTIONS NOT TRAPPED 
0 REAL MODE 3 
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Figure 10-2. Contents of the CRO Register After Reset 


Note that the invisible parts of the CS and DS segment registers are initialized to values 
which allow execution to begin, even though segments have not been defined. The base 
address for the code segment is set to 64K below the top of the physical address space, 
which allows room for a ROM to hold the initialization software. The base address for 
the data segments are set to the bottom of the physical address space (address 0), where 
RAM is expected to be. To preserve these addresses, no instruction which loads the 
segment registers should be executed until a descriptor table has been defined and its 
base address and limit have been loaded into the GDTR register. If CS is reloaded while 
in real mode, it will point to the lowest 1 Megabyte of physical memory: 
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Table 10-1. Processor State Following Power-Up 


00000002H' 
OOOOFFFOH 
CS OFOOOH? 
DS 0000H? 
SS | OO00H 
ES | 0O000H* 
FS OOOOH 
GS OOOOH 
IDTR (base) ~  Q0000000H 
IDTR (limit) O3SFFH 


DR6 i FFFFOFFOH 
DR7 00000000H 


Floating-Point Unit Registers* | 


Control Word 037FH 
Status Word | OOOOH 
Tag Word | OFFFFH 
IP Offset | 00000000H 
Data Operand Offset 00000000H 
CS Selector ) 0O00H 
Operand Selector OO00H 
Opcode 000H 


NOTE: Undefined bits are reserved. Software should not depend on the states of any of these bits. 

1. The high fourteen bits of the EFLAGS register are undefined following power-up. All of the flags are clear. 
2. The invisible part of the CS register holds a base address of OFFFFOOOOH and a limit of OFFFFH. 

3. The invisible parts of the DS and ES registers hold a base address of 0 and a limit of OFFFFH. 

4. The registers of the floating-point unit are not initialized unless the built-in self-test is invoked. 


10.2 Intel486 SX MICROPROCESSOR /Intel487 SX MATH 
COPROCESSOR INITIALIZATION | 


This interface is designed for two distinct sockets: one for the Intel486 SX CPU and one 
for end-user/dealer upgrade with Intel487 SX Math CoProcessor. Refer to the Intel486™ 
SX Microprocessor/Intel487™ SX Math CoProcessor Data Book for more details. The fol- 
lowing should be considered when designing an Intel486 SX CPU/Intel487 SX MCP 
system. 


1. The timing loops should be independent of the cpi. One way to attain this is to 
implement these loops in hardware and not in software (e.g., BIOS). 


2. Initialization routine should check the presence of a math coprocessor (e.g., 
Intel487 SX math coprocessor) and should set the floating point related bits in the 
CRO register accordingly. Recommended bit pattern is given in Table 10-2. The 
FSTCW instruction will give a value of FFFFh for the Intel486 SX microprocessor 
and 037Fh for the Intel487 SX math coprocessor. 
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Table 10-2. Recommended Values of the FP Related Bits for Intel486™ SX 
Microprocessor/Intel487™ SX Math CoProcessor System 


0, for DOS systems 
1, for user-defined exception handler 


Following is an example code to initialize the system and check for the presence of 
Intel486 SX microprocessor/Intel487 SX math coprocessor. 


fninit 

fstcw - mem—loc 7 

mov ax, mem_loc 

cmp ax, O3?fh 

jz Intel4a? Xx Math CoProcessor_present sax=847?fh 
jmp Intel4¥4b SX microprocessor_present ;ax=ffffh 


If the Intel487 SX math coprocessor is not present, the following code can be run to set 
the CRO register for the Intel486 SX microprocessor. 


mov eax, crd 


and eax, Fffffffdh smake MP=O 
or eax, O024h | | —  smake EM=1, NE=4 
mov | cr@, eax 


The above initialization will cause any floating point instruction to generate the inter- 
rupt 7. The software emulation will then take control to execute these instructions. This 
code is not required if Intel487 SX math coprocessor is present in the system, thereupon 
the typical intialization routine for the Intel486 SX microprocessor will be adequate. 


The interpretation of different combinations of the EM and MP big is SHOW: in 
Table 10-3. 7 


Table 10-3. EM and MP Bits Interpretations 


poem | ow interpretation 


Numeric instructions are passed to FPU; WAIT ignores TS 
Numeric instructions are passed to FPU; WAIT tests TS 


Numeric instructions trap to emulator; WAIT ignores TS 


Numeric instructions trap to emulator, WAIT tests TS 
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10.3 SOFTWARE INITIALIZATION IN REAL-ADDRESS MODE 


After reset initialization, software sets up data structures needed for the processor to 
perform basic system functions, such as handling interrupts. If the processor remains in 
real-address mode, software sets up data structures in the form used by the 8086 proces- 
sor. If the processor is going to operate in protected mode, software sets up data struc- 
tures in the form used by the 286 and Intel486 processors, then switches modes. See 
Section 10.7 for an example. 


10.3.1 System Tables 


In real-address mode, no descriptor tables are used. The interrupt vector table, which © 
starts at address 0, needs to be loaded with pointers to exception and interrupt handlers 
before interrupts can be enabled. The NMI interrupt is always enabled. If the interrupt 
vector table and the NMI interrupt handler need to be loaded into RAM, there will be a 
period of time following reset initialization when an NMI interrupt cannot be handled: 


10.3.2 NMI Interrupt 


Hardware must provide a.mechanism to prevent an NMI interrupt from being generated 
while software is unable to handle it. For example, the interrupt vector table and NMI 
interrupt handler can be provided in ROM. This allows an NMI interrupt to be handled 
immediately after reset initialization. Another solution would be to provide a mechanism 
which passes the NMI signal through an AND gate controlled by a bit in an I/O port. 
Hardware can clear the bit when the processor is reset, and software can set the bit 
when it is ready to handle NMI interrupts. System software designers should be aware of 
the mechanism used by hardware to protect software from NMI interrupts following 
reset. 


10.3.3 First Instruction | 


Execution begins with the instruction addressed by the initial contents of the CS and IP 
registers. To allow the initialization software to be placed in a ROM at the top of the 
address space, the high 12 bits of addresses issued for the code segment are set, until the 
first instruction which loads the CS register, such as a far jump or call. As a result, 
instruction fetching begins from address OFFFFFFFOH. Because the size of the ROM is 
unknown, the first instruction is intended to be a jump to the beginning of the initializa- 
tion software. If protected mode will be used and the processor is still in real mode, then 
only near jumps should be performed within the ROM-based software. After a far jump 
is executed, addresses issued for the code segment are clear in their high 12 bits. 


10.3.4 Enabling Caching 
The cache is enabled by clearing the CD and NW bits in the CRO register. This enables 


caching, write-through, and cache invalidation cycles. Because all cache lines are invalid 
following reset initialization, it is unnecessary to flush the cache before enabling caching. 
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Under circumstances where cache lines may be marked as valid, the cache may need to 
be flushed before enabling caching. This may occur as a result of using the test registers 
to run test patterns through the cache memory as part of confidence ne during 
software initialization. | 


10.4 SWITCHING TO PROTECTED MODE 


Before switching to protected mode, a minimum set of system data structures must be 
created, and a minimum number of registers must be initialized. 


10.4.1 System Tables 


To allow protected mode software to access programs and data, at least one descriptor 
table, the GDT, and two descriptors must be created. Descriptors are needed for a code 
segment and a data segment. The stack can be be placed in a normal read/write data 
segment, so no descriptor for the stack is required. Before the GDT can be used, the 
base address and limit for the GDT must be loaded into the GDTR reeter using an 
LGDT instruction. 


10. 4. 2 NMI Interrupt 


If hardware allows NMI interrupts to be senseacl the IDT aud a — for he NMI 
interrupt handler need to be created. Before the IDT can be used, the base address and 
limit for the IDT must be loaded into the IDTR register using an LIDT instruction. — 


10.4.3 PE Bit 


Protected mode is entered by setting the PE bit in the CRO register. Either an LMSW or 
MOV CRO instruction may be used to set this bit (the MSW register is part of the CRO 
register). Because the processor overlaps the interpretation of several instructions, it is 
necessary to discard the instructions which already have been read into the. processor. A 
JMP instruction immediately after the LMSW instruction changes the flow of.execution, 
so it has the effect of emptying the processor of instructions which have been fetched or 
decoded. : < ool 


After entering protected mode, the segment registers continue to hold the contents. they 
had in real address mode. Software should reload all the segment registers. eon in 
protected mode Deen with a CPL of 0. , | 


10.5 SOFTWARE INITIALIZATION IN PROTECTED MODE 


The data structures needed in protected mode are determined by the memory manage- 
ment features which are used. The processor supports segmentation models which range 
from a single, uniform .address space (flat model) to a highly structured model with 
several independent, protected address spaces for each task (multi-segmented model). 
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Paging can be enabled for allowing access to large data structures which are partly in 
memory and partly on disk. Both of these forms of address translation require data 
structures which are set up by the operating system and used by the memory manage- 
ment hardware. 


10.5.1 Segmentation 


A flat model without paging only requires a GDT with one code and one data segment 
descriptor. A flat model with paging requires code and data descriptors for supervisor 
mode and another set of code and data descriptors for user mode. In addition, it 
requires a page directory and at least one second-level page table. 


A multi-segmented model may require additional segments for the operating system, as 
well as segments and LDTs for each application program. LDTs require segment 
descriptors in the GDT. Most operating systems, such as OS/2, allocate new segments 
and LDTs as they are needed. This provides maximum flexibility for handling a dynamic 
programming environment, such as an engineering workstation. An embedded system, 
such as a process controller, might pre-allocate a fixed number of segments and LDT’s 
for a fixed number of application programs. This would be a simple and efficient way to 
structure the software environment of a system which requires fast real-time 
performance. 


10.5.2 Paging 


Unlike segmentation, paging is controlled by a mode bit. If the PG bit in the CRO 
register is clear (its state following reset initialization), the paging mechanism is com- 
pletely absent from the processor architecture seen by programmers. 


If the PG bit is set, paging is enabled. The bit may be set using a MOV CRO instruction. 
Before setting the PG bit, the following conditions must be true: 


e Software has created at least two page tables, the page directory and at least one 
second-level page table. 


o The PDBR register (same as the CR3 register) is loaded with the base address of the 
page directory. 


e The processor is in protected mode (paging is not available in real-address mode). If 
all other restrictions are met, the PG and PE bits can be set at the same time. 


As with the PE bit, setting the PG bit must be followed immediately with a JMP instruc- 
tion. Also, the code which sets the PG bit must come from a page which has the same 
physical address after paging is enabled. 


10.5.3 Tasks 


If the multitasking mechanism is not used, it is unnecessary to initialize the TR register. 
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If the multitasking mechanism is used, a TSS and a TSS descriptor for the initialization 
software must be created. TSS descriptors must not be marked as busy when they are 
created; TSS descriptors should be marked as busy only as a side-effect of performing a 
~ task switch. As with descriptors for LDTs, TSS descriptors reside in the GDT. The LTR 
instruction is used to load a selector for the TSS descriptor of the initialization software 
into the TR register. This instruction marks the TSS descriptor as busy, but does not 
perform a task switch. The selector must be loaded before performing the first task 
switch, because a task switch copies the current task state into the TSS. After the LTR 
instruction has been used, further operations on the TR register are performed by task 
switching. As with segments and LDTs, TSSs and TSS. BEACH can be. either pre- 
allocated or allocated as needed. 


10.6 TLB TESTING 


The Intel486 processor provides a mechanism for testing the translation lookaside buffer 
(TLB), the cache used for translating linear addresses to physical addresses. Although 
failure of the TLB hardware is extremely unlikely, users may wish to include TLB con- 
fidence tests among other power-up tests for the Intel486 processor. 


NOTE 


This TLB testing mechanism is unique to the Intel486 processor and may not be 
continued in the same way in future processors. Software which uses this mechanism 
may be incompatible with future processors. 7 


10.6.1 Structure of the TLB 


The TLB is a four-way set-associative memory. Figure 10-3 illustrates its structure. In the 
data block, there are eight sets of four data entries each. A data entry in the TLB 
consists of the 20 high-order bits of a physical address. These 20 bits can be interpreted 
as the base Benes of a page, which is Oy definition clear i in its 12 low- order bits. 


The TLB fsreises a linear address into a physical address, and so is aay cancenied 
with the high-order 20 bits of either; the low-order 12 bits (these constitute the offset into 
the page) are the same in both the linear and the physical address. 


Corresponding to the block of data entries is a block of valid, attribute and tag entries. 
The tag entry consists of the 17 high-order bits of a linear address. In translating 
addresses, the processor uses bits 12, 13, and 14 of the linear address to select one of the 
eight sets, and then checks the four tags of that set for a match with the high-order 17 
bits of the linear address..If a match is found among the tags of the selected set, and the 
corresponding valid bit equals 1, then the linear address is translated by. replacing its 
high-order 20 bits with the 20 bits of the corresponding data entry. 


_ Three LRU bits are provided with each set; they track the use of the data in the set, and 


are checked when a new entry is needed (and none of the entries in the set is invalid). A 
pseudo-LRU replacement algorithm is used. 7 . jo, 
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Figure 10-3. TLB Structure 


10.6.2 Test Registers 


Two test registers, shown in Figure 10-4, are provided for the purpose of testing. The 
TR6 register is the TLB test command register, and the TR7 register is the TLB test 
data register. These registers are accessed by forms of the MOV instruction. The MOV 
instructions are defined in both real-address mode and protected mode. The test regis- 
ters are privileged resources; in protected mode, the MOV instructions which access 
them can be executed only at privilege level 0 (most privileged). An attempt to read or 
write the test registers from any other privilege level causes a general-protection: 
exception. a 


Unlike the TLB of the Intel386 DX processor, the TLB of the Intel486 processor can be 
accessed without disabling paging. Also unlike the Intel386 DX processor, the TLB of 
the Intel486 processor uses a pseudo-LRU cache replacement algorithm to select entries 
for de-allocation when a new entry is needed and the TLB is full. 
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Figure 10-4, TLB Test Registers 
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The TLB test command register (TR6) contains a command and an address tag: 


e C This is the Command bit. There are two TLB testing commands: write entries into: 
the TLB, and perform TLB lookups. To cause a write into the TLB entry, move a 
doubleword into the TR6 register which contains a clear C bit. To cause an TLB 
lookup (read), move a doubleword into the TR6 register which contains a set C bit. 
TLB operations are triggered by writing to the TR6 register. 


e Linear Address On a TLB write, a TLB entry is allocated to this linear address; the 

rest of that TLB entry is assigned using the value of the TR7 register and the value 
just written into the TR6 register. On a TLB lookup, the TLB is interrogated with this 
value; if one and only one TLB entry matches, the rest of the fields of the TR6 and 
TR7 registers are set from the matching TLB entry. 

e V This bit.indicates the TLB entry contains valid data. Entries in the TLB which are 
not loaded with page table entries have a clear V bit. All V bits are cleared by writing 
to the CR3 register, which has the effect of emptying or “flushing” the TLB. The 
TLB must be flushed after modifying the page tables, because otherwise unmodified 
data might get used for address translation. 


e D, D# The D bit (and its complement). 
e U, U# The U/S bit (and its complement). 
© W, W# The R/W bit (and its complement). 


These bits are provided in both true and complement form for extra flexibility during 
TLB lookups. The manne of these pairs of bits is given in Table 10-4. 


Table 10-4. Meaning of Bit Pairs | in the TR6 Recisiek 


Tw Effect on TLB Lookup Effect on 1 TLB Write 


Do not match undefined 
Match if the bit is clear | - Clear the bit 
Match if the bit is set - Set the bit 


__ Match if set or clear | undefined 
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The TLB test data register (TR7) holds data read from or data to be written to the TLB: 


Physical Address This is the data field of the TLB. On a write to the TLB, the TLB 
entry allocated to the linear address in the TR6 register is set to this value. On a TLB 
lookup (read), the data field (physical address) from the TLB is loaded into this field. 


PCD Corresponds to the PCD bit of a page table entry. . 


PWT Corresponds to the PWT bit of a page table entry. 


LRU On a TLB read, corresponds to the bits used in the pseudo-LRU cache replace- 
ment algorithm. The states which are reported are the value of these bits before the 
TLB lookup. TLB lookups which result in hits and TLB writes can change these bits. 


PL On a TLB write, a set PL bit causes the REP field of the TR7 register to be used 
for selecting which of four associative blocks of the TLB entry is loaded. If the PL bit 
is clear, the internal pointer of the paging unit is used to select the block. The internal 
pointer is driven by the pseudo-LRU cache replacement algorithm. On a TLB lookup 
(read), the PL bit indicates whether the read was a hit (une PL bit i is set) or a miss 
(the PL bit is clear). | 


REP For a TLB write, selects which of four associative blocks of the TLB is to be 
written.: For a TLB read, if the PL bit is set, REP reports in which of the four 
associative blocks the tag was found; if the PL bit is clear, the contcnts of this field 
are undefined. os . 


10.6.3 Test Operations 


To write a TLB entry: 


i 


Move a doubleword to the TR7 register which contains the desired physical address, 
PCD, PWT, PL, and REP values. If the PL bit is set, the REP field selects the 
associative block in which to place the entry. If the PL bit is clear, the internal 
pointer is used. | | 


Move a doubleword to the TR6 register which contains the appropriate linear 
address, and values for the V, D, U, and W bits. The C bit must be clear. 


Do not write duplicate tags; the results of doing so are undefined. 


To lookup (read) a TLB entry: 


1. 


Move a doubleword to the TR6 register which contains the. appropriate ee 
address and attributes. The C bit must be set. : 


. Read the TR7 register. If the PL bit in the TR7 register is set, then the rest of the 


register contents report the TLB contents. If the PL bit is clear, ie the other 


_ values in the TR7 register, ac the LRU bits, are undefined. 


For the purposes of testing, the V bit functions as eaehiee bit of address. The V bit for 
a lookup request should usually be set, so that uninitialized tags do not match. Lookups 
with the V bit clear are unpredictable if any tags are uninitialized. 
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10.7 CACHE TESTING 


The Intel486 processor peace: a acchedien for testing the cache used for instructions 
and data. Although failure of the cache hardware is extremely unlikely, users may wish 
to include cache confidence tests among other power-up tests for the Intel486 processor. 


NOTE 


| This neh testing mechanism is unique to the Intel486 processor and may not be 
- continued in the same way in future processors. Software which uses this mechanism 
may be incompatible with future processors. —__ 


Caching must be disabled while performing cache testing. 


10.7.1 Structure of the Cache 


The cache is a four-way ‘set-associative memory. This means that a data block from a 
given location in main memory can be stored in any of four locations in the cache. 
Four-way association is a compromise between the speed of direct-mapped cache on 
cache hits and the high hit ratio of fully associative cache. It permits rapid searches of 
the cache to find data while providing a high proportion of cache hits. 


The cache consists of three blocks: 


Data Block—contains up to 8K-bytes of data and instructions. The data block is 
divided into four arrays, each containing 128 cache lines. Each cache line holds data 
from 16 successive memory addresses, beginning with an address divisible by 16. To 
each 7-bit index into the arrays of the data block there correspond four cache lines, 
one from each array. Four cache lines with the same index are called a set. 


Tie Block —contains one 21-bit tag for each line of data in the cache. The tag block is 
therefore also divided into four arrays, each containing 128 tags. The tag consists of 
the high-order 21 bits of the physical address of the data stored 1 in the corresponding 
cache line. 


Valid and LRU Block —contains one 7-bit quantity for each of the 128 sets of cache 
lines. Four bits are used to mark the cache lines in the set individually as valid or 


invalid. The other three bits track the use of the data in the set, and are checked 


when a cache line-fill is needed (and none of the lines in the set is invalid). As in the 


_ TLB, a ee Oa cache i Peremen scone iS used: 


Cache deeds is s speuta by splitting the high-order 28 bits af the: Ss ieieal danse 
into two parts. The highest-order 21 bits are the tag field, and are used to distinguish the 
cached data from any other 16-byte data line that could have been stored in the same 
set. The next-highest 7 bits are > the index oe and determine the set in which the data 
can be stored. 
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Figure 10-5. Cache Structure 


10.7.2 Test Registers 


Three test registers, shown in Figure 10-6, are provided for the purpose of testing. The 
TR3 register is the cache test data register, the TR4 register is the cache test status 
register, and the TR5 register is the cache test control register. These registers are 
accessed by forms of the MOV instruction. The MOV instructions are defined in both 
real-address mode and protected mode. The test registers are privileged resources; in 
protected mode, the MOV instructions which access them can be executed only at priv- 
ilege level 0 (most privileged). An attempt to read or write the test régisters from any 
other privilege level causes a general-protection exception. 7 


The cache test data register (TR3) contains a doubleword to write to the cache fill 
buffer, or a doubleword read from the cache read buffer. The fill and read buffers each 
have storage for four doublewords, which pass through this register one at a time. A 
particular doubleword in either buffer is addressed using the 2-bit Entry Select field 
(bits 2 and 3) in the TRS register. | | 
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Figure. 10-6. Cache Test Registers 


The cache test status register (TR4) contains Valid and LRU bits, and a tag: 


Valid (bits 3..6). On'a cache lookup, these are the four Valid bits of the set which was 
accessed. 


LRU. On a cache lookup, these are the three LRU bits of the set which was accessed. 
On a cache write, these bits are ignored; the LRU bits in the cache are updated by 
the pseudo- -LRU cache replacement algorithm. | 


‘Valid (bit . 10). This is the Valid bit for the particular entry which was accessed. Ona 
~ cache lookup, it is a copy of one of the bits reported in bits 3..6. On a cache write, it 


becomes the new valid bit for the entry and set selected. 


| Tag Address. On a cache write, this 1 is ane address which becomes Be tag. 


The ache: test sone seeistes c7R5) contains. he 7-bit set select, 2 bit entry select, and 
a 2-bit control field: | 


Set Select. Selects one of the 128 sets. 


Entry Select. During a cache read or write, selects 0 one of the four entries in the set 


addressed by the Set Select; during cache-fill-buffer writes, or read-buffer reads, 
selects one of the four doublewords i in a line. 


Control. The functions encoded by these bits are shown in Table 10- 5. 
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Table 10-5. Encoding of Cache Test Control Bits 


Write to cache fill buffer, or read from cache read buffer. 


Perform cache write. 
Perform cache read. 


Flush the cache (mark all entries as invalid). 


Writing to TR5 with either bit 0 or bit 1 set causes a cache access. TR5 cannot be read. 


10.7.3 Test Operations 


Before cache testing: — 


1. 


Disable caching by setting the CD bit in the CRO register. 


To write to the cache fill buffer: 


1. 


Load the TR5 register with a value in the Entry Select field which addresses one of 
the four doublewords in the cache fill buffer: The value of the Sour field must be 
00 (binary). - 


. Load the TR3 register with the data to be written to the cache fill buffer. The write 


to the buffer is triggered by loading this register. 


. Repeat steps 1 and 2 above for each of the remaining three doublewords in the 


cache fill buffer. 


To write to the cache: 


Load the cache fill buffer, as described above. 


Load the TR4 register with the tag (bits 11..31) and a valid bit (bit 10). The other 
bits of the TR4 register (bits 0..9) have no effect on the cache write. 


. Load the TR5 register with Control, Entry Select, and Set Select values. The value 


in the Control field must be 01 (binary). The cache write is triggered by. nee this 
register. 


To read from the cache: 


Ae 


Load the TRS register with Control, Entry Select, and Set Select values. The value 
in the Control field must be 10 (binary). The cache read is triggered by loading this 
register. The cache read loads the TR4 register with the tag for the entry which was 
read, and the LRU and Valid bits for the entire set which was read. The cache read 
loads the cache read buffer with 128 pile of data. The buffer can be read using the 
following procedure. 
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To read from the cache read buffer: 


1. 


Load the TRS register with Control and Entry Select values. The , Entry Select norte | 
addresses one of the four ere in the cache read buffer. The value i in the 


Control field must be 00 (binary). | 


Read a doubleword from the cache read buffer by unloading the TR3 register. The 


read from the buffer is triggered by unloading this register. 


Repeat steps 1 and 2 above for each of the remaining ntee doublewords | in | the 


cache read buffer. 


To flush the cache: 


i 


Load the TRS register with a Control value. The value in the Control field must be 
11 (binary). None of the other fields have any meaning in this case. The cache flush 
is triggered by loading this a All of the LRU bits and Valid bits are cleared. 


10.8 INITIALIZATION EXAMPLE 


The following program templates are sieved by Intel op your ‘benefit: in n developing 


software for the Intel486 processor. 


~e we le ~e we ~e we we le ~s we we we we we ~e ~e ~e we we we we 


Simpinit-asm 


- Initialization code for lela Flat Guinean) ‘model exanple 


SLI TertTtet tert ieetrectrertrertiertiert tert tertiert tert tree treet tee 


Version 2-8 

Copyright Intel Corp-, 1984 me 
This template is intended for your benefit in developing applications/— | 
systems using Intel Intel4¥8b™ or Intel38b™ family microprocessors: 


Intel hereby grants you permission to modify and anCOnPenarS it. as 


needed. 


Preceeeeectrtrrserettttttirrttettttttttitittttetttttitteettte titi ree ee es. 


This is an example of initialization code to put either the i¥8b(TM) — 
processor, Intel3&b DX processor, Intel3&b SX processor or J7b(TM) processor’: ~~ 


into flat mode. All of memory is treated as simple linear RAN. 

There are no interrupt routines. The builder creates the GDT Bs 

alias and IDT alias and places them, by default, in GDT(1] and GDT(2). 
After entering protected mode, this code jumps to an ASM38b/44b startup © 
routine for a C application. You can change this UMP address to that on 
your code, or make the label of your code. CSTARTUP. 


NAME simpstart ; name of object module | ee 
EXTRN c_startup:near ; this is the label jmped to after init.code | 
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pe_flag equ 1 ; for setting PE bit 
data_selc equ c@H =; offset of —phantomdata_ in GDT (GDTC4)) 
CODENACRO opprefx $3 macro to change default operand size 
db bbH | , 
ENDN 


init_code SEGMENT ER PUBLIC 

; GDT_DESC is a public symbol referred to in the build file. The LOCATION 
s definition in the TABLE section of the build file points to this label; 
: the builder stores the base and limit for the named table at this 

; location in memory: 


PUBLIC gdt_desc 
gdt_desc dp ? 
; START is a label that points to the true beginning of our executable 
; code. The BOOTSTRAP control causes the builder to place a short jump 
: to the named label in this case, START) at the component reset vector. 
PUBLIC start | | 
;s Since this code initializes either an Intel4¥8b, Intel3&b DX, Inteld&b SX or 37b 
* processor into protected mode, the first instructions at START test for component 
; type» The Intel4¥4b or Intel3&b DX or Intel3&b SX processor at reset is in real or 
; compatibility mode: the PE bit is off and the D bit for CS is not set. 
s Instructions execute in their 1b-bit form. The 37b processor at reset 
; has the PE bit on as well as the D bit, so instructions execute in their 
; 32-bit form. — a | 
nop ; NOPs are for initializing a Intel44b or Inteld&b DX 


nop ; or Intel3&b SX processor 
Start: 
cld , ie ; clear direction flag 
smsw bx ; use SMSU rather than MOV for speed 
test bl,1 s check for processor type at reset 


jnz pestart 


; Loading the GDTR at REALSTART or PESTART depends on user hardware 
; returning a READY after a write to. ROM. 


realstart: s is an Intel4¥&b or Intel3&b DX or Intel3&b SX processor 
oppref x — 4 ; and in 1tb-bit real mode, use operand prefix to | 
mov eax,offset gdt_desc ; get 3e-bit address of GDT pointer 
opprefx ; use operand prefix to 
and eax,Offffh ; make address relative to reset area 
lgdtw cs:{eax] ; load 24 bits of base into GDTR 
mov ax,bx ; copy machine status word 
or al,pe_flag ; set PE bit 
lmsw ax , ; load machine status word with PE bit set 
jmp next ; flush prefetch queue 
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pestart: 7 ; is a 3?b processor and in 32-bit protected 
mode , , on a ee | 
mov eax,offset gdt_desc 3; get J3ce-bit address of GDT pointer 
and eax, @ffffh ; make address relative to reset area 
lIgdt cs:Ceax] ; load 32 bits of base into GDTR 
next: . 
xor eax, eax . s initialize data selectors 
mov al,data_selc ; GDTC4) is —phantom_data_ 
mov ds,ax 3 | | 
mov SS,ax 
mov eS,ax 
mov fS,ax 
mov gS,ax 
test bl,1i 
jnz pejump 
opprefx 5 use operand prefix for Intel4&b or Intel3&b DX or 
pe jump: | + 3 Intel3&b SX processor jump “3 oO 


jmp far ptr c startup : first far jump causes A31-20 to drop low 
init_code ENDS 


END 
; cStart-asm | | 
An ASM34b/48b module to initialize the stack and call a C application | 


~we 


5 RRR KKK KK KR K KKK KKK KKK KKK RRR KK RRR KK KK RK KK RRR KK KK KEK KK KKK 


; Version 2-0 — 

; Copyright Intel Corp-., 1944 | 

: This template is intended for your benefit in developing applications/ 
; systems using Intel48b™ or Intel3&b™ family microprocessors. 

; Intel hereby grants you permission to modify and incorporate it as 

* needed. | 


H PTTTTTTT ELST ETT CITT CTT ETT TELE TE TTC TTT CTT CTT CTT CTT ETT TTT Tete TTT TTT ee 


NAME cstart ; name of the object module 


EXTRN maintnear : label of the C application to be called 
PUBLIC c_startup ~ $; public symbol used in processor initialization 
code | : = | 


stack STACKSEG 1024 


data SEGMENT RW PUBLIC 
data ENDS 
code3¢2 SEGMENT ER PUBLIC 
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c_startup: 
mov esp,stackstart stack ; initialize stack pointer 
call main ; call C application 
hlt ; halt processor 


codeje ENDS 

/* simple-c : 

C38b/4Ab application code for simple flat model example 

Steet seessessssse sss seseessestesststesesssessssressesesssteressesess esses s: 


Version 2-@ 

Copyright Intel Corp-, 1984 

This template is intended for your benefit in developing applications/ 
systems using Intel4¥4b™ or Intel3&b” family microprocessors. Intel 
hereby grants you permission to modify and incorporate it as needed. 


KAKKKKK KKK KKK KKK KKK KKK KKK KK KKK KKK KKK AK KKK RK AK KKK KKK KKK KKK KKK AK KKK KKK KKK KKK KK 


x/ 
char message(J="IT WORKS" ; 


main () 
{ 

int array—count(1@1; 
aray count(1] = 1; 
aray_count(2] =¢ 
aray_count(3) = 3 
araycount(4] = 4 
aray—count(5] = 5; 
aray_count(b] = hb 
aray count(?] = 7 
aray_count[4] = 4 


} 

-- simple-bld | | 
-- Build file for input to BLD34b/48b to create simple flat model example 
Tete Tete setts tsetse tsetse ss ttest esses esses sssete ste s ses ess estes ses es ssf: 
-- Version 2.8 © 

-- Copyright Intel Corp-., 1944 

-- This template is intended for your benefit in developing applications/ 
-- systems using Intel4¥4b™ or Intel38b” family microprocessors: 

-- Intel hereby grants you permission to modify and incorporate it as 

-- needed. 

SE TESESSSSESS sss esse ssesessesessesesesseseseessessessesss sess esses ses esses 
Simple; -- build program id 

SEGMENT 
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ksegments (DPL 
—phantom_code_ (DPL 


init_code 


8), 
Q), 
—phantom_data. (DPL = @), 


INITIALIZATION 


Give all user segments a DPL of @. 
These two segments are created by 

the builder when the FLAT control is 
used. 

Their default DPL is @; they are listed 
here for reference only: 

Put initialization code at reset area. 


(BASE = Off ff B30BH) ; 


TABLE 
-- create GDT 
GDT | | 


BASE = Offff@100H 


); == end GDT 
TASK 
main_task 
(BASE = Offff@2G0H, 
DATA = data, 
CODE = main, 
STACKS = (stack), 
NO INTENABLED 
)s a 
TABLE 


Idt1 (NOT CREATED) ; 


END 


-- GDT_DESC is a public symbol in the 
-- "Simpstart" initialization module. 
(LOCATION = gdt_desc, 


In a buffer starting at GDT_DESC, 
BLDS6bL/48b places the GDT base and 
GDT limit values. Buffer must be 

b bytes long. The base and limit 
values are places in this buffer 
as two bytes of limit plus 

four bytes of base in the format 
required for use by the LGDT 
instruction. | 


Task is for *ICD-48b or ICE™=-38b 
or ICE-37b emulator initialization. | 


Points to a segment that 
indicates initial DS value. 

Entry point is main, which 

must be a public id. 

Segment id points to stack 
segment. Sets the initial SS:ESP. 
Disable interrupts. 


-- Builder does not place LIT in object 
-- module, but contents appear in listing. 
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+ Note: ICD-48b is an in-circuit debugger for the Intel4&b CPU. This product 
-- is scheduled for availability in the fourth quarter of 1984. 

echo off 

echo simple.-bat 

echo A DOS batch file for generating a bootloadable simple flat model 

echo OOOO OG GOGO OK. 


echo ¥ and incorporate it as needed. 
echo | : 
MG MESEST ESS ESS See Sse se essesessssesessesese tsetse sessesseseesssetstsssesses: 
REM 7 - 7 : 

REN The following two invocations of ASM3&b/48b create object modules 

REN "simpinit-obj" and "cstart-obj". The assembler issues warnings with 

REN each invocation due to the use of privileged instructions in the files. 
REM The "debug" control directs ASM3&b/4ab to include extra information 

REM useful in symbolic debugging. The listing files are "Simpinit-lst" and 
REM "cstart-lst". 

echo *echo asm3&b simpinit-asm debug mod4&b 

asm3&b simpinit-asm debug mod4ab 

echo (1 warning due to use of privileged instructions) 

echo x 

echo asm34b cstart-asm debug mod4éb 

asm34b cstart-.asm debug mod4ab 

echo (1 warning due to use of privileged instructions) 

REM a 
REM The invocation of C-38b/48b creates an object module "Simple-obj". The 
REN "regallocate" control directs the compiler to optimize the allocation of 
REM register variables. The "code" control causes placement of a pseudo- . 
REM assembly language listing at the end of the listing file. "Debug" 

REN directs C-38b/48b to include extra information useful in symbolic 

REM debugging: The listing file is "Simple-lst”. 

echo * 

echo c3&b simple-c debug regallocate code mod4&b 

cJ4b simple-c debug regallocate code mod4&b 

REM 

REM BND38b/48b combines the input segments and resolves symbolic addressing: 
REN The "noload" control directs the binder to create a linkable (rather 

REM than loadable) file» The "debug" control indicates that the binder does 
REM not purge debug information. "Object" directs the output file to be 

REM named "simple-bnd". The listing file is "simple-mp1i". 

echo x 

echo bnd34b simple-obj,simpinit-obj,cstart-obj noload debug object 


echo * x 
echo * Version 2-2 x 
echo * Copyright Intel Corp-, 1944 x 
echo * This template is intended for your benefit in developing x 
echo ¥ applications/systems using Intel44b™ or Intel3ab” family x 
echo * microprocessors: Intel hereby grants you permission to modify * 

x | x 

x x 


10-21 


intel . INITIALIZATION 


(simple-bnd) mod48b 

bnd3éb simple-obj,simpinit. ies: cstart. 64 noload meg object (simple-bnd) mod4&b 
REM 

REM The goal is an absolute bootloadable file (all sddpeeses fixed in 

REN memory) suitable for loading into an ICD-48b in-circuit debugger or an ICE-3&b 
REN or ICE-37b in-circuit emulator. BLD3&b/48b creates such an absolute module, 
REN necessary descriptor tables, and a task for initializing the emulator. The 
REM "buildfile” control identifies "simple-bld" as the build file. The 

REM "bootstrap" control identifies the symbol "start" as the label of the 

REM instruction to be jumped to by the bootstrap jump placed at OfffffffOH. 

REN The "flat" control directs the builder to configure the file in a flat 

REM model, where all code resides in the —phantom_code_ segment and all data 
REM resides in the —phantom_data_ segment. The "mod4¥8b" control causes the 
REN builder to issue messages to guide creation of the object module for an 

REN Intel4¥&b processor. The "mod3?b" control causes the builder to issue 

REN messages to guide creation of the object module for a 37b 

REM processor. You can remove either control to create an object module for 

REM a Intel3&b DX phogessors The listing file is "simple-mpe". The final system 
REM is "simple". ts 7 

echo x 

echo bld3&b simple-bnd buildfile (simple-bld) ssaRecEG (start) eae mod¥ab 
bld3&b simple-bnd buildfile (simple-bld) bootstrap (start) flat. mod4&b 
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CHAPTER 11 
DEBUGGING 


The Intel486 processor has advanced debugging facilities which are particularly impor- 
tant for sophisticated software systems, such as multitasking operating systems. The fail- 
ure conditions for these software systems can be very complex and time-dependent. The 
debugging features of the Intel486 processor give the system Prosraninics valuable tools 
for looking at the dynamic state of the processor. 


The debugging support is accessed through the debug registers. They hold the addresses . 
of memory locations, called breakpoints, which invoke debugging software. An exception 
is generated when a memory operation is made to one of these addresses. A breakpoint 
is specified for a particular form of memory access, such as an instruction fetch or a 
doubleword write operation. The debug registers support porn instruction breakpoints 
and data breakpoints. 


With other processors, instruction breakpoints are set by replacing normal instructions 
with breakpoint instructions. When the breakpoint instruction is executed, the debugger 
is called. But with the debug registers of the Intel486 processor, this is not necessary. By 
eliminating the need to write into the code space, the debugging process is simplified 
(there is no need to set up a data segment mapped to the same memory as the code 
segment) and breakpoints can be set in ROM-based software. In addition, breakpoints 
can be set on reads and writes to data which allows real-time monitoring of variables. 


11.1 DEBUGGING SUPPORT 


The features of the architecture which support debugging are: 


e Reserved debug interrupt vector — Specifies a procedure or task to be called when an 
event for the debugger occurs. 


o Debug address registers—Specifies the addresses of up to four breakpoints. 
e Debug control register —Specifies the forms of memory access for the breakpoints. 


e Debug status register — Reports conditions which were in effect at the time of the 
exception. 


e Trap bit of TSS (T-bit) — Gacne a debug exception when an eteDt is made to 
perform a task switch to a task with this bit set in its TSS. 


e Resume flag (RF)— Suppresses multiple exceptions to the same instruction. 
e Trap flag (TF)—Generates a debug exception after every execution of an instruction. 


e Breakpoint instruction—Calls the debugger (generates a debug exception). This 
instruction is an alternative way to set code breakpoints. It is especially useful when 
more than four breakpoints are desired, or when breakpoints are being placed in the 
source code. 


e Reserved interrupt vector for breakpoint exception — Calls a spiseedne or task when a 
breakpoint instruction is executed. 
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These features allow a debugger to be called either as a separate task or as a procedure 
in the context of the current task. The acnowans conditions can be used to call the 
debugger: 


e Task switch to a specific task. 

e Execution of the breakpoint Staion: 

e Execution of any instruction. | 

e Execution of an instruction at a specified address. | 

e Read or write of a byte, word, or doubleword at a specified address. 
e Write toa byte, word, or Coupiewore at a SPeraee address. 


° Attempt to change the contents of a debug register. 


11.2 DEBUG REGISTERS 


Six registers are used to control jebuaving These registers are scceesel by jong of the 
MOV instruction. A debug register may be the source or destination operand for one of 
these instructions. The debug registers are privileged resources; the MOV instructions 
which access them may be executed only at privilege level 0. An attempt to read or write 
the debug registers from any other privilege level generates a general: protecuon excep- 
tion. Figure a 1 shows the format of the debug registers. 


11.2.1 Debug Address Registers (DRO-DR3) 


Each of these registers holds the linear address for one of the four breakpoints. That is, 
breakpoint comparisons are made before physical address translation occurs. Each 
breakpoint condition is specified further by the contents of the DR7 register. 


11 2. 2 Debug Control Register (DR7) 


The debug sSitiol Sesser owe in Figure 11-1 specifies the sort ot memory access 
associated with each breakpoint. Each address in registers DRO to DR3 corresponds to a 
field R/WO to R/W3.in the DR7 register. The processor interprets these bits as follows: 


00 — Break on instruction execution only | 

Ol — Break on data writes omy 

10 —undefined a+ 7 
11—Break on data reads or writes but HOt instruction fetches 


Mae 
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DEBUG REGISTERS 


| RESERVED oa 


HARDWIRED BITS ARE Breen. DO NOT DEFINE 


240486i1 1-1 


Figure 11-1. Debug Registers 


The LENO to LEN3 fields in the DR7 register specify the size of the breakpointed 
location in memory. A size of 1, 2, or 4 bytes may be specified. The length fields are 
interpreted as follows: 


00—one-byte length 

_ 01—two-byte length 
~10—undefined — 

11—four-byte length 


If RWn is 00 (instruction execution), then LENn should also be 00. The effect of using 
any other length is undefined. 
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The GD bit enables the debug register protection condition that is flagged by BD of 
DR6. Note that GD is cleared at entry to the debug exception handler by the processor. 
This allows the handler free access to the debug registers. 


The low eight bits of the DR7 register (fields LO to L3 and GO to G3) individually enable 
_ the four address breakpoint conditions. There are two levels of enabling: the local (LO 
through L3) and global (GO through G3) levels. The local enable bits are automatically 
cleared by the processor on every task switch to avoid unwanted breakpoint conditions in 
_ the new task. They are used to breakpoint conditions in a single task. The global enable 
bits are not cleared by a task switch. Tay, are used to enable breakpoint conditions 
which apply to all tasks. e 


The Intel486 processor always uses exact data breakpoint matching in debugging. That 
is, if any of the Ln/Gn bits are set, the processor slows execution so that data breakpoints 
are reported for the instruction which triggered the breakpoint, rather than the next 
instruction to execute. In such a case, one- clock instructions which access memory will 
~ take two oe to execute. 


In the Intel386 DX processor, exact data breakpoint matching will not occur unless it is 
enabled by setting either the es or pe of bit. The Intel486 proceso} ABaUres these 
bits. 


11.2.3 Debug Status Register (DR6) 


The debug status register shown in Figure 11-1 reports conditions sampled at the time 
the debug exception was generated. Among other information, it reports which break- 
point triggered the exception. Update only occurs if the exception is taken, then all bits 
will be updated. 


When an enabled breakpoint generates a debug exception, it loads the low four bits of 
this register (BO through B3) before entering the debug exception handler. The B bit is 
set if the condition described by the DR, LEN, and R/W bits is true, even if the break- 
point is not enabled by the L and G bits. The processor sets the B bits.for all breakpoints 
which match the conditions present at. the time the debug exception is generated, 
whether or not they are enabled. 


The BT bit is associated with the T bit (debug trap bit) of the TSS (see Chapter 6 for the 
format of a TSS). The processor sets the BT bit before entering the debug handler if a 
task switch has occurred to a task with a set T bit in its TSS. There is no bit in the DR7 
register to enable or disable this exception; the T bit of the TSS is the only enabling bit. 


The BS bit is associated with the TF flag. The BS bit is set if the debug exception was 

triggered by the single-step execution mode (TF flag set). The single-step mode is the 
-highest-priority debug exception; when the BS bit is set, any of the other debug status 
bits also may be set. 


The BD bit is set if the next instruction will read or write one of the eight debug registers 
while they are being used by in-circuit emulation. ee re ae 
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Note that the contents of the DR6 register are never cleared by the processor. To avoid 
any confusion in identifying debug exceptions, the debug handler should clear the regis- 
ter before returning. | 


11.2.4 Breakpoint Field Recognition 


The address and LEN bits for each of the four breakpoint conditions define a range of 
sequential byte addresses for a data breakpoint. The LEN bits permit specification of a 
one-, two-, or four-byte range. Two-byte ranges must be aligned on word boundaries 
(addresses which are multiples of two) and four-byte ranges must be aligned on double- 
word boundaries (addresses which are multiples of four). These requirements are 
enforced by the processor; it uses the LEN bits to mask the lower address bits in the 
debug registers. Unaligned code or data breakpoint addresses do not yield the expected 
results. 


A data breakpoint for reading or writing is triggered if any of the bytes participating in.a 
memory access is within the range defined by a breakpoint address register and its LEN 
bits. Table 11-1 gives some examples of combinations of addresses and fields with mem- 
ory references which do and do not cause traps. © 


A data breakpoint for an unaligned operand can be made from two sets of entries in the 
breakpoint registers where each entry is byte-aligned, and the two entries together cover 
the operand. This breakpoint generates exceptions only for the operant: not for any 
neighboring bytes. 


‘Table 11-1. Breakpointing Examples 


Register Contents 1 (LENO 
Register Contents | 1 (LENO 
Register Contents . 2 (LENO 
Register Contents 4 (LENO 


Memory Operations Which Trap 


{ 
{ 
2 
2 
2 
4 
4 
2 
1 


Memory Operations Which 
Don’t Trap 


hw ft = 
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Instruction breakpoint addresses must have a length specification of one byte (LEN = 
00); the behavior of code breakpoints for other operand sizes is undefined. The proces- 
sor recognizes an instruction breakpoint address only when it points to the first byte of 
an instruction. If the instruction has any prefixes, the breakpoint address must point to 
the first prefix. | 


11.3 DEBUG EXCEPTIONS 


Two of the interrupt vectors.of the Intel486 processor are reserved for debug exceptions. 
The debug exception is the usual way to invoke debuggers designed for the Intel486 
processor; the breakpoint exception is intended for putting breakpoints in debuggers. | 


11.3.1 Interrupt 1—Debug Exceptions 


The handler for this exception usually is a debugger or part of a debugging system. The 
processor generates a debug exception for any of several conditions. The debugger can 
check flags in the DR6 and DR7 registers to determine which condition caused the 
exception and which other conditions also might apply. Table 11-2 shows the. states of 
these bits for each kind of breakpoint condition. | ss 


Instruction breakpoints are faults; other debug exceptions are traps. The debug excep- | 
tion may report either or both at one time. ‘The ewe sections Present gets for 
each class of sda exception. , ae | | a 


11.3.1.1 INSTRUCTION-BREAKPOINT FAULT 


_ The processor reports. an instruction breakpoint before it executes the breakpointed 
instruction . e., a geome exec prion caused by an instruction Dbieapout isa mu 


The RF flap’ sents thi debus Beeeaiioni handle: to restart instructions which cause 
faults other than debug. faults. When a debug fault occurs, the system software writer 
must set the RF bit in the copy of the EFLAGS register which is pushed on the stack in 
the debug exception handler routine. This bit is set in pecbelauon of resuming the 


Table 11-2. Debug Exception Conditions 


BS = 1 ae Single-step trap 

BO = 1 and (GEO = 1orLEQ=1) | Breakpoint defined by DRO, LENO, and R/WO 
Bi = 1 and (GE1 = 1 or LE1 1) Breakpoint defined by DR1, LEN1, and R/W1 
B2 = 1 and (GE2 = 1 or LE2 : Breakpoint defined by DR2, LEN2, and R/W2 


( 
( 
( 
B3 = 1 and (GE3 = 1 or LES 7 Breakpoint defined by DR3, LENS, and R/W3 


BD = 1. Ss Debug registers in use for i in- -circuit emulation 
BT = 1 ie Task switch 


intel - DEBUGGING 


program’s execution at the breakpoint address without generating another breakpoint 
fault on the same instruction. (Note: The RF bit does not cause breakpoint traps to be 
ignored, nor other kinds of faults.) 


The processor clears the RF flag at the successful completion of every instruction except 
after the IRET instruction, the POPF instruction, POPFD instruction, and JMP, CALL, 
or INT instructions which cause a task switch. These instructions set the RF flag to the 
value specified by the the saved copy of the EFLAGS register. 


The processor sets the RF flag in the copy of the EFLAGS register pushed on the stack 
before entry into any fault handler. When the fault handler is entered for instruction 
breakpoints, for example, the RF flag is set in the copy of the EFLAGS register pushed 
on the stack; therefore, the IRET instruction which returns control from the exception 
handler will set the RF flag in the EFLAGS register, and execution will resume at the 
breakpointed instruction without generating another breakpoint for the same 
instruction. 


If, after a debug fault, the RF flag is set and the debug handler retries the faulting 
instruction, it is possible that retrying the instruction will generate other faults. The 
restart of the instruction after these faults also occurs with the RF flag set, so repeated 
debug faults continue to be suppressed. The processor clears the RF flag only after 
successful completion of the instruction. 


11.3.1.2 DATA-BREAKPOINT TRAP 


A data-breakpoint exception is a trap; 1.e., the processor generates an exception for a 
data breakpoint after executing the instruction which accesses the breakpointed memory 
location. 


The Intel486 processor always does exact data breakpoint matching, regardless of 
GE/LE bit settings. Exact reporting is provided by forcing the Intel486 processor execu- 
tion unit to wait for completion of data Cpe transfers before Pees ine execution of 
the next instruction. 


If a debugger needs to save the contents of a write Beaiepailit location, it should save 
the original contents before setting the breakpoint. Because data breakpoints are traps, 
the original data is overwritten before the trap exception is generated. The handler can 
report the saved value after the breakpoint is triggered. The data in the debug registers 
can be used to address the new value stored by the instruction which triggered the 
breakpoint. 


~ 11.3.1.3 GENERAL-DETECT FAULT 


The general-detect fault occurs when an attempt is made to use the debug registers at 
the same time they are being used by in-circuit emulation. This additional protection 
feature is provided to guarantee emulators can have full control over the debug registers 
when required. The exception handler can detect this condition by checking the state of 
the BD bit of the DR6 register. 
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11.3.1.4 ee eer TRAP . 


This trap occurs after an instruction is evseuted if fhe TF flag was set before nes instruc- 
tion was executed. Note the exception does not occur after an instruction which sets the 
TF flag. For example, if the POPF instruction is used to set the TF flag, a single-step 
trap does not occur until aust instruction ee the POPF instruction. 


The processor clears the TF fide before calling the exception handler. If the TF F flag was 
set in a TSS at the time of a task switch, the oe occurs s after the first instruction iS 
executed in the new — 


The single- step flag aormally is not cleared a by privilege oe inside a task. The INT 
instructions, however, do clear the TF flag. Therefore, software debuggers which single- 
step code must recognize and emulate INT n or INTO instructions rather than executing 
them directly. | 


To maintain protection, the operating system. should check the current execution privi- 
lege level after any single-step trap to see if ee stepping should continue at the 
current privilege level. — | 


The interrupt priorities guarantee that if an external interrupt occurs, single stepping 
stops. When both an external interrupt and a single step interrupt occur together, the 
single step interrupt is processed first. This clears the TF flag. After saving the return 
address or switching tasks, the external interrupt input is examined before the first 
instruction of the single step handler executes. If the external interrupt is still pending, 
then it is serviced. The external interrupt handler does not run in single-step mode. To 
single step an interrupt handler, single step an INTn instruction which calls the interrupt 
handler. | 


11 3.1.5 TASK-SWITCH TRAP 


The debug exception also ¢ occurs after a task atc if the T bit of the new task’s TSS i IS 
set. The exception occurs after control has passed to the new task, but before the first 
instruction of that task is executed. The ee handler can detect this condition | 
oa. the BT. bit of the: DR6 ECE plore , peak 


Note that if the ésbus exception handler i is a 2 task, the T bit of its TSS should not be set. 
Failure to observe this rule will put the processor in a loop. | : 


11.3.2 Interrupt 3— —Breakpoint Instruction 


The breakpoint trap is caused by execution of the INT 3 instruction. Typically, a apie 
ger prepares a breakpoint by replacing the first opcode byte of an instruction with the 
opcode for the breakpoint instruction. When execution of the INT 3 instruction calls the 
exception handler, the return address points to the first byte of the instruction LOLONIE 
the INT 3 instruction. | we 
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With older processors, this feature is used extensively for setting instruction breakpoints. 
With the Intel486 processor, this use is more-easily handled using the debug registers. 
However, the breakpoint exception still is useful for breakpointing debuggers, because 
the breakpoint exception can call an exception handler other than itself. The breakpoint 
exception also can be useful when it is necessary to set a greater number of breakpoints 
than permitted by the debug registers, or when breakpoints are being placed in the 
source code of a program under development. 


Caching 


12 


CHAPTER 12 
CACHING 


The Intel486 processor has an on-chip internal cache for storing 8K bytes of instructions 
and data. The cache raises system performance by satisfying an internal read request 
more quickly than a bus cycle to memory. This also reduces the processor’s use of the 
external bus. The internal cache is transparent to program operation. 


The Intel486 processor can use an external second-level cache outside of the processor 
chip. An external cache normally improves performance and reduces bus bandwidth 
required by the Intel486 processor. 


Caches require special consideration in multiprocessor systems. When one processor 
accesses data cached in another processor, it must not receive incorrect data. If it mod- 
ifies data, all other processors which access that data must receive the modified data. 
This property is called cache consistency. The Intel486 processor provides mechanisms 
which maintain cache consistency in the presence of multiple processors and external 
caches. 


The operation of internal and external caches is transparent to application software, but 
knowledge of the behavior of these caches may be useful in optimizing software perfor- 
mance. In multiprocessor systems, maintenance of cache consistency may require inter- 
vention by system software. 


The cache is available in all execution modes: real mode, protected mode, and virtual- 
8086 mode. For properly designed single-processor systems, the cache can be initially 
enabled and not require further control. 3 


42.1 INTRODUCTION TO CACHING | 


Caches are often implemented as associative memories..An associative memory has extra 
storage for each unit of memory, called a tag. When an address is applied to an associa- 
tive memory, each tag simultaneously compares itself against the address. If a tag 
matches the address, access is provided to the unit of memory associated with the tag. 
This is called a cache hit. If no match occurs, the cache signals a cache miss. A cache miss 
requires a bus cycle to access main memory. 


To gain eticiene in the implementation of the internal cache, storage is allocated in 
chunks of 128-bits, called cache lines. External caches are not likely to use cache lines 
smaller than those of the internal cache. 


The cache of the Intel486 processor does not support partially-filled cache lines, so 
caching a single doubleword requires caching four doublewords. This would be an inef- 
ficient use of the cache if it were not for the fact that the processor rarely makes access 
to random locations in memory. Over any small span of time, the processor usually 
accesses a small number of areas in memory, such as the code segment or the stack, and 
it usually accesses many neighboring addresses in these areas. 
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To simplify the hardware implementation, cache lines can only be mapped to aligned 
128-bit blocks of main memory. (An aligned 128-bit block begins at an address which is 
clear in its low four bits.) When a new cache line is allocated, the processor loads a block 
from main memory into the cache line. This operation is called a cache line fill. Allocated 
cache lines are said to be valid. Unallocated cache lines are invalid. 


Caching can be write-through or eae: On reads, both forms of caching operate as 
described above. On writes, write-through caching updates both cache memory and main 
memory; write-back caching updates only the cache memory. Write-back caching 
updates main memory when a write-back operation is performed. Write-back operations 
are triggered when cache lines need to be de-allocated, such as when new cache lines are 
being allocated in a cache which 1s already full. Write-back operations also are triggered 
by the mechanisms used to maintain. cache consistency. 


The internal each of the Intel486 processor is a write-through cache. It can be used with 
external caches which are write-through, write-back, or a mixture of both. 


12.2 OPERATION OF THE INTERNAL CACHE 


Software controls the operating mode of the cache. Caching can be enabled (its state 
following reset initialization), caching can be disabled while valid cache lines exist (a 
mode in which the cache acts like a fast, internal RAM), or caching can be fully 
disabled. 


Precautions must be followed when disabling the cache. Whenever CD is set to 1, the 
Intel486 processor will not read external memory if a copy is still in the cache. Whenever 
NW is set to 1, the Intel486 processor will not write to external memory if the data is in 
the cache. This means stale data can develop in the Intel486 CPU cache. This stale data 
will not be written to external memory if NW is later set to 0 or that cache line is later 
overwritten as a result of a mane miss. In Benetat the cache should be flushed when 
disabled. — | 7 4 : : 


It is possible to freeze data in the cache by loading it using test registers while CD and 
NW are set. This is useful to provide guaranteed cache hits for time critical interrupt 
code and data. 


Note that all segments should start on 16 byte boundaries to allow programs to align 
code/data in cache lines. 


12.2.1 Cache ecial Bits 


Table 12- 1 summarizes the modes enabled by the CD and NW bits: 
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Table 12-1. Cache Operating Modes 


Caching is disabled, but valid cache lines continue to 
respond. To completely disable the cache, enter this 
mode and perform a cache flush. To use the cache as a 
fast internal RAM, preload the cache with valid cache 
lines by careful choice of memory operations or by using 
the test registers. In this mode, writes to valid cache lines 
update the cache, but do not update main memory. 


No new cache lines are allocated, but valid cache lines 
continue to respond. 


Invalid setting. A general-protection exception with an 
error code of zero is generated. 


Caching is enabled. 


12.2.2 Cache Management Instructions 


The INVD and WBINVD instructions are used to invalidate the contents of the internal 
and external caches. The INVD instruction flushes the internal cache and generates a 
special bus cycle which indicates that external caches also should be flushed. (The 
response of hardware to receiving a cache flush bus cycle is implementation dependent; 
hardware might use some other mechanism for maintaining cache consistency.) 


There is only one difference between the WBINVD and INVD instructions. The 
WBINVD instruction generates a special bus cycle which indicates external, write-back 
caches should write-back modified data to main memory. This cycle is produced imme- 
diately before the cycle to flush the cache. | 


12.2.3 Self-Modifying Code 


A write to an instruction in the cache will modify it in both cache and memory, but if the 
instruction was prefetched before the write, the old version of the instruction could be 
the one executed. To prevent this, flush the instruction prefetch unit by coding a jump 
instruction immediately after any write that modifies an instruction. 


12.3 PAGE-LEVEL CACHE MANAGEMENT 


The Intel486 processor defines two bits in entries in the page directory and second-level 
page tables which are reserved on Intel386 processors. These bits are used to drive 
processor output pins. These bits are used to manage the caching of pages. 
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12.3.1 Cache Management Bits 


The PCD and PWT bits control caching on a aaecey. page basis. The PCD bit (page- 
level cache disable) affects the operation of the internal cache. Both the PCD bit and the 
PWT bit (page-level write-through) drive processor output pins for controlling external 
caches. The treatment of these signals by external hardware is implementation- 
dependent; for example, some hardware systems may control the caching of pages by 
decoding some of the high address bits. 


There are dice potential sources si the bits er to drive the PCD er PWT outputs of 
the processor: the CR3 register, the page directory, and the second-level page tables. 

The processor outputs are driven by the CR3 register for bus cycles where paging is not 
used to generate the address, such as the loading of an entry in the page directory. The. 
outputs are driven by a page directory entry when an entry from a second-level page 
table is accessed. The outputs are driven by a second-level page table entry when instruc- 
tions or data in memory are accessed. When paging is disabled, these bits are ignored 
(CPU assumes PCD= 0 and PWT=0). 


12.3.1.1 PCD BIT 


When a page table entry has a set PCD bit (bit position 4), caching of the page is 
disabled, even if hardware is requesting caching by asserting the KEN# input. When the 
PCD bit is clear, caching may be requested by hardware on a cycle- by-cycle basis. 


Disabling caching is necessary for pages which contain memory-mapped I/O ports. It 
also is useful for pages which do not pLOuce a performance benefit when cached, such as 
initialization software. — | 7 


Regardless of the page- -table entries, the Intel486 processor will i ignore the PCD output 
Cans PCD =0) whenever the CD (Cache Disable) bit in CRO is set. 


12.3.1.2 PWT BIT 


When a page table entry has a set PWT bit (bit position 3), a write-through caching 
policy is specified for data in the corresponding page. Clearing the PWT bit allows the 
possibility of using a write-back policy for the page. Since the internal cache of the 
Intel486 processor is a write-through cache, it is not affected by the state of the PWT bit. 
External caches however may use write-back caching, and so can use the output signal 
driven by the PWT bit to control caching policy on a page- i page basis. 7 


In multiprocessor systems, enabling write-through may be advantageous for siiseed mem- 


ory, particularly for memory locations written infrequently by one processor, but read 
often by many processors. 
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CHAPTER 13 
MULTIPROCESSING 


The Intel486 processor supports multiprocessing on the system bus. Processors on the 
system bus can have different bus widths. 


Multiprocessors can increase particular aspects of system performance. For example, a 
computer graphics system may use an i860 CPU for fast rendering of raster images, while 
an Intel486 processor is used to support a standard operating system, such as UNIX or 
OS/2. Multiprocessing systems are sensitive to two design issues: 


0 Maintaining cache consistency — — When one processor accesses data cached in another 
processor, it must not receive incorrect data. If it modifies data, all other PIGCESSOIS 
which access that data must receive the modified data. 


o Reliable communication — Processors need to be able to communicate with each other 
in a way which eliminates interference when more than one processor simultaneously 
accesses the same area in memory. | 


Cache consistency was discussed earlier, in Chapter 12. Reliable communication is dis- 
cussed in the following section, which describes the mechanism used to “lock” the bus. 


13.1 LOCKED AND PSEUDO-LOCKED BUS CYCLES| 


While the system architecture of multiprocessor systems varies greatly, they generally 
have a need for reliable communication with memory. A processor in the act of updating 
the Accessed bit of a segment descriptor, for example, should reject other attempts to 
update the descriptor until the operation is complete. — 


It also is necessary to have reliable communication with other processors. Bus masters 
need to exchange data in a reliable way. For example, a bit in memory may be shared by 
several bus masters for use as a signal that some resource, such as a peripheral device, is 
idle. A bus master may test this bit, see that the resource is free, and change the state of 
the bit. The state would indicate to other potential bus masters that the resource is in 
use. A problem could arise if another bus master reads the bit between the time the first 
bus master reads the bit and the time the state of the bit is changed. This condition 
would indicate to both potential bus masters that the resource is free. They may inter- 
fere with each other as they both attempt to use the resource. The processor prevents 
this problem through support of locked bus: cycles; requests for control of the bus are 
ignored eunng locked cycles. ) 


The Intel486 processor protects the integrity of certain critical memory operations by 
asserting an output signal called LOCK#. Reads and writes of aligned 64-bit operands 
and (128-bit) instruction prefetches are protected by an output called PLOCK*#. It is the 
responsibility of the hardware designer to use these signals to control memory access 
among processors. 
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The processor automatically asserts one of these signals during certain critical memory 
operations. Software can specify which other memory operations need to have LOCK# 
asserted. 


The features of the general-purpose multiprocessing interface include: 
e The LOCK# signal, which eppeds on a pin of the processor. 

° The PLOCK# signal, which appears on a pin of the processor. 

e The LOCK instruction prefix, which allows software to assert LOCK#. 
e Automatic assertion of LOCK# for some kinds of memory operations. 


¢ Automatic assertion of PLOCK# for. some other kinds of memory operations. 


13.1.1 LOCK Prefix and the LOCK# Signal 


The LOCK prefix and its bus signal only should be used to prevent other bus masters 
from interrupting a data movement operation. The LOCK prefix can be used with the 
following Intel486 CPU instructions when they modify memory. An invalid-opcode 
exception results from using the LOCK prefix before any other instruction, or with these 


' instructions when no write operation is made to memory (i. e., when the destination 


operand is in a register). 
e Bit test and change: the BTS, BTR, and BTC instructions. 


e Exchange: the XCHG, XADD, and ‘CMPXCHG instructions (no LOCK prefix is 
needed for the XCHG instruction). 


° One- -operand arithmetic and logical: the INC, DEC, NOT, NEG instructions. 


e Two- -operand arithmetic and logical the ADD, ADC, ‘SUB, SBB, AND, OR, se 
XOR instructions. 


A locked instruction is guaranteed to lock only the area oe memory defined by the desti- 
nation operand, but may lock a larger memory area. F or example, typical 8086 and 80286 
configurations lock the entire physical memory space. | 


Semaphores (ciavedi memory vaused for jenailing between multiple processors) should be 
accessed using identical address and length. For example, if one processor accesses a 
semaphore using word access, other processors should not access the semaphore using 
byte access. | | 


The niceuer of the ioe is not affected by the aient of the memory field. The 
LOCK# signal is asserted for as many bus cycles as necessary to update the entire 
operand. | 
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13.1.2 Automatic Locking 


There are some critical memory operations for which the processor automatically asserts 
the LOCK# signal. These operations are: 


° 


Acknowledging interrupts. 


After an interrupt request, the interrupt controller uses the data bus to send the 
interrupt vector of the source of the interrupt to the processor. The processor asserts 
LOCK# to ensure no other data appears on the data bus during this time. 


Setting the Busy bit of a TSS descriptor. 


The processor tests and sets.the Busy bit in the Type field of the TSS descriptor when 
switching to a task. To ensure two different processors do not switch to the same task 
simultaneously, the Processor asserts the LOCK# signal while testing and setting 
this bit. 


Updating segment descriptors. 


When loading a segment descriptor, the processor will set the Accessed bit if the bit is 
clear. During this operation, the processor asserts LOCK# so the descriptor will not 
be modified by another processor while it is being updated. For this action to be 
effective, operating-system procedures which aESete descriptors should use the fol- 
lowing steps: 


~Use a locked operation when updating the access-rights byte to mark the 
descriptor not-present, and specify a value for the Type field which indicates the 
descriptor is being updated. 


—~ Update the fields of the descriptor. (This may require several memory accesses; 
therefore, LOCK cannot be used.) 


—~ Use a locked operation when updating the access-rights byte to mark the 
descriptor as valid and present. 


Note that the Intel386 DX processor always updates the Accessed bit, whether it is 
clear or not. The Intel486 processor only updates the Accessed bit if it is not already 
set. 


Updating page-directory and page-table entries. 


When updating page-directory and page-table entries, the processor uses locked 
cycles to set the Accessed and Dirty bits. 


Executing an XCHG instruction. 


The Intel486 processor always asserts LOCK# during an XCHG instruction which 
references memory (even if the LOCK prefix is not used). 


13.1.3 Pseudo-Locking 


The PLOCK# pin indicates that the current bus cycle and the following one should be 
treated as an atomic transfer. By implementing the pseudo-lock mechanism, system 
hardware can guarantee atomic reads and writes of 64-bit operands. The operand must 
be aligned to a doubleword boundary, so that the read or write requires no more than 
two bus cycles to be completed. 
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The pseudo-lock mechanism can also be used to protect instruction prefetches and other 
transfers of more than 32 bits. For a detailed discussion of the PLOCK# signal, its 
timing and its various uses, see the Intel486™ Processor Hardware Reference Manual. 
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CHAPTER 14 
INTRODUCTION TO NUMERIC APPLICATIONS 


The Intel486 processor contains a high-performance numerics processing element that 
provides significant numeric capabilities and direct support for floating-point, extended- 
integer, and BCD data types. The Intel486 Floating Point Unit (FPU) easily supports 
powerful and accurate numeric applications through its implementation, with radix 2, of 
the IEEE Standard 854 for Floating-Point Arithmetic. The Intel486 FPU provides 
floating-point performance comparable to that of large minicomputers while offering 
compatibility with object code for 8087, Intel287, Intel387 DX and Intel387 SX math 
coprocessors. 


14.1 HISTORY 


The Intel486 FPU is compatible with its predecessors, the earlier Intel 8087, Intel287 
and Intel387 DX coprocessor. Programs designed to use the 8087, Intel287 or Intel387 
math coprocessor should run unchanged on the Intel486 processor. Refer to Figure 3-23 
to identify the floating point unit in your system. 


The 8087 NPX was designed for use in 8086-family systems. The 8086 was the first 
microprocessor family to partition the processing unit to permit high-performance 
numeric capabilities. The 8087 NPX for this processor family implemented a complete 
numeric processing environment in compliance with an early proposal for IEEE. Stan- 
dard 754 for Binary Floating-Point Arithmetic. : 


With the Intel287 Numeric Processor Extension, high-speed numeric computations were 
extended to 286 high-performance multitasking and multiuser systems. Multiple tasks 
using the numeric processor extension were afforded the full protection of the 286 mem- 
ory management and protection features. 


The Intel387 DX and SX math coprocessors are Intel’s third generation numerics pro- 
cessors. They implement the final IEEE Std 754, adds new trigonometric instructions, 
and uses a new design and CHMOS-III process to allow higher clock rates and require 
fewer clocks per instruction. Together, the Intel387 math coprocessor with additional 
instructions and the improved standard brought even more convenience and reliability to 
numerics programming and made this convenience and reliability available to applica- 
tions that need the high- -speed and large memory capacity of the 32-bit environment of 
the Intel386 microprocessor. 


The Intel486 FPU is an on-chip equivalent of the Intel387 DX coprocessor conforming 
to both IEEE Std 754 and the more recent, generalized IEEE Std 854. Having the FPU 
on chip results in a considerable performance improvement in numerics-intensive com- 
putation. Figure 14-1 illustrates the relative performance of 5-MHz 8086 CPU/8087 
NPX, 8-MHz 286 CPU/Intel287 NPX, 20-MHz Intel386 DX CPU/Intel387 DX systems, 
and a 33-MHz Intel486 processor, in executing numerics-oriented applications. 
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i486™ CPU (33 MHz) _ 
e 


RELATIVE 
PERFORMANCE | 


i386™ DX CPU/i387™ DX NPX (20 MHz) 
® 


8086/8087 (5 MHz) — 80286/80267 (8 MHz) 
: 
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Figure 14-1. Evolution and Performance of Numeric Processors 


14.2 PERFORMANCE 


Table 14-1 compares the execution times of several Intel486 CPU numeric instructions 
with the equivalent operations executed on a 16-MHz Intel387 DX math coprocessor. As 
indicated in the table, the 33-MHz Intel486 floating-point processor provides about 5 
times the performance of a 16-MHz Intel387 DX math coprocessor. A 33-MHz Intel486 
processor multiplies 32-bit and 64-bit floating-point numbers in about .33 and .42 micro- 
seconds, respectively. Of course, the actual performance of the processor in a given 
system depends on the characteristics of the individual application. 


The Intel486 Integer Unit (IU) and FPU coordinate their activities in a manner trans- 
parent to software. Moreover, built-in coordination facilities allow the IU to proceed 
with other instructions while the FPU is simultaneously executing numeric instructions. 


Table 14-1. Numeric Processing Speed Comparisons 


Approximate Performance Ratio: 
Floating-Point Instruction 33 MHz Intel486™ + : 
| | 16 MHz Intel386™ DX/Intel387™ DX. 


FADD — ST, ST(i) Addition 7 4,2 
FDIV dword_var ~ Division 2.0 
FYL2X stack(0),(1) assumed Logarithm _ | 2.5 
FPATAN § stack(0) assumed Arctangent . 2.2 
F2XMI__stack(0) assumed —- Exponentiation 7 2.2 


FLD ST(0), ST(i Data Transfer | BS 
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Programs can exploit this concurrency of execution to further increase een perfor- 
mance and throughput. 


14.3 EASE OF USE 


The Intel486 FPU provides more than raw execution speed for computation-intensive 
tasks; it brings the functionality and power of accurate numeric computation into the 
hands of the general user. These features are available in most high-level languages 
available for the Intel486 processor. 


Like the 8087, Intel287 and Intel387 DX coprocessor that preceded it, the Intel486 FPU 
is explicitly designed to deliver stable, accurate results when programmed using straight- 
forward “pencil and paper” algorithms. IEEE Std 754 specifically addresses this issue, 
recognizing the fundamental importance of making numeric computations both easy and 
safe to use. | L.A 


For example, most computers can overflow when two single-precision floating-point 
numbers are multiplied together and then divided by a third, even if the final result is a 
perfectly valid 32-bit number. The Intel486 FPU delivers the correctly rounded result. 
Other typical examples of undesirable machine behavior in straightforward calculations 
occur when computing financial rate of return, which involves the expression (1 + i)" or 
when solving for roots of a quadratic equation: 7 


—b+ b? — 4ac 


If a does not equal 0, the formula is numerically unstable when the roots are nearly 
coincident or when their magnitudes are wildly different. The formula is also vulnerable 
to spurious over/underflows when the coefficients a, b, and c are all very big or all very 
tiny. When single-precision (4-byte) floating-point coefficients are given as data and the 
formula is evaluated in the Intel486 FPU’s normal way, keeping all intermediate results 
in its stack, the FPU produces impeccable single-precision roots. This happens because, 
by default and with no effort on the programmer’s part, the FPU evaluates all those 
subexpressions with so much extra precision and range as to overwhelm any threat to 
numerical integrity. 


If double-precision data and results were at issue, a better formula would have to be 
used, and once again the Intel486 FPU’s default evaluation of that formula would pro- 
_ vide substantially enhanced numerical integrity over mere double-precision evaluation. 


On most machines, straightforward algorithms will not deliver consistently correct results 
(and will not indicate when they are incorrect). To obtain correct results on traditional 
machines under all conditions usually requires sophisticated numerical techniques that 
are foreign to most programmers. General application programmers using straightfor- 
ward algorithms will produce much more reliable programs using the Intel486 processor. 
This simple fact greatly reduces the software investment required to develop safe, accu- 
rate computation-based products. | 
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Beyond traditional numerics support for scientific applications, the Intel486 processor 
has built-in facilities for commercial computing. It can process decimal numbers of up to © 
18 nae without round-off errors, performing exact arithmetic on integers as large as 2° 
or 10°°. Exact arithmetic is vital in accounting applications where ee errors may 
introduce monetary losses that cannot be reconciled. , 


The Intel486 processor contains a number of optional numerical facilities that can be 
invoked by sophisticated users. These advanced features include directed rounding, 
graguabe underflow, and programmed exception-handling facilities. 


These automatic exception-handling facilities permit a high feee of flexibility in 
numeric processing software, without burdening the programmer. While performing 
numeric calculations, the Tntel486 processor automatically detects exception conditions 
that can potentially damage a calculation (for example, X + 0 or when X < 0). By 
default, on-chip exception logic handles these exceptions so that a reasonable result is 
produced and execution may proceed without program interruption. Alternatively, the 
processor can invoke a software exception handler to oars oe results Wales: 
various IPCs of exCepnONs are Picnics: : : 


14.4 APPLICATIONS 


The Intel486 processor’ s versatility aid perioniiac: make it apeiopnate to a. broad 
array of numeric applications. In general, applications that exhibit any of the following 
characteristics can benefit by implementing numeric processing on the pores 
processor: 


e Numeric data vary over a wide range of values, or include nonintegral values 
e Algorithms produce very large or very small intermediate results. 


© Computations must be very precise; 1.e., a large number of significant digits must be 
maintained. — | | 


e Performance requirements szeced the epacy of ‘aditienal microprocessors. 


o- Consistently safe, reliable results must be delivered using a programming staff that is 
- not expert in numerical techniques. 


Note also that the Intel486 processor can reduce software development costs and 
improve the performance of systems that use not ie real numbers, but operate on 
multiprecision binary or decimal integer values as well. 


A few examples, which show ae the Intel486 processor might be used in specific 
numerics applications, are described below. In many cases, these types of systems have 
been implemented 1 in the past with minicomputers or small mainframe computers. 


- Business data processing — The Intel486 FPU’s ability to: accept decimal operands and 
Lprodie. exact decimal results of up to 18 digits greatly simplifies accounting program- 
ming. Financial calculations that use power functions can take advantage of the 
Intel486 processor’s exponentiation and logarithmic instructions: Many business soft- 
ware packages can benefit from the speed and accuracy of the Intel486 FPU. 


14-4 


intel. INTRODUCTION TO NUMERIC APPLICATIONS 


e Simulation—The large (32-bit) memory space and raw speed of the Intel486 proces- 
sor make it suitable for attacking large simulation problems, which heretofore could 
only be executed on expensive mini and mainframe computers. For example, complex 
electronic circuit simulations using SPICE can be performed on an Intel486 proces- 
sor. Simulation of mechanical systems using finite element analysis can employ more 
elements, resulting in more detailed analysis or simulation of larger systems. 


e Graphics transformations—The Intel486 processor can be used in graphics applica- 
tions, with the FPU performing many functions concurrently with the operation of the 
IU; these functions include rotation, scaling, and interpolation. By also using an 

_ 82786 Graphics Display Controller to perform high-speed drawing and window man- 
agement, very powerful and highly self-sufficient terminals can be built from a small 
number of parts. 


e Process control—The Intel486 FPU solves dynamic range problems automatically, 
and its extended precision allows control functions to be fine-tuned for more accurate 
and efficient performance. Using the Intel486 processor to implement control algo- 
rithms also contributes to improved reliability and peel), while the processor’ S speed 
can be exploited in real-time operations. | 


e Computer numerical control (CNC) —The Intel486 processor can move and position 
_ machine tool heads with accuracy in real-time. Axis positioning also benefits from the 
hardware trigonometric support provided by the FPU. 


e Robotics—Coupling small size and modest power requirements with powerful com- 
putational abilities, the Intel486 processor is ideal for on-board six-axis positioning. 


e Navigation—Very small, lightweight, and accurate inertial guidance systems can be 
implemented with the Intel486 processor. Its built-in trigonometric functions can 
speed and simplify the calculation of position from bearing data. 


e Data acquisition —The Intel486 processor can be used to scan, scale, and reduce large 
quantities of data as it is collected, thereby lowering storage requirements and time 
required to process the data for analysis. 


The preceding examples are oriented toward traditional numerics applications. There 
are, in addition, many other types of systems that do not appear to the end user as 
computational, but can employ the Intel486 processor’s numerical capabilities to advan- 
tage. The imaginative system designer has an opportunity similar to that created by the 
introduction of the microprocessor itself. Many applications can be viewed as 
numerically-based if sufficient computational power is available to support this view 
(e.g., character generation for a laser printer). This is analogous to the thousands of 
successful products that have been built around “buried” microprocessors, even though 
the products themselves bear little resemblance to computers. 


14.5 PROGRAMMING INTERFACE 

The Intel486 processor has a class of instructions known as ESCAPE instructions, all 
having a common format. These ESC instructions are numeric instructions for the FPU. 
These numeric instructions are part of a single integrated instruction set. 


Numeric processing in the Intel486 processor centers around the floating-point register 
stack. Programmers can treat these eight 80-bit registers either as a fixed register set, 
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with instructions operating on explicitly-designated registers, or as a classical stack, with 
instructions operating on. the aa one or two stack elements. | 


rhesedaliy the Intel486 FPU holds all eee in a ninitont 80- bit extended format. 
Operands that may be represented in memory as 16-, 32-, or 64-bit integers, 32-, 64-, or 
80-bit floating-point numbers, or 18-digit packed BCD numbers, are automatically con- 
verted into extended format as they are loaded into the FPU registers. Computation 
results are subsequently converted back into one of these destination data formats when 
ee are stored into: Oy from the FPU Ecesters : 


Table 14- 2. lists each af i seven numeric aia ne epee by the Intel486 FPU, 
showing the data format for each type. The table also shows the approximate range of 
normalized values that can be represented with each type. Denormal values are also 
supported in each of the real es as required by IEEE Std 854. Denormals are dis- 
cussed in veer 16. 


All Speiiads are stored i in memory with the least pathic digits starting at the initial 
(lowest) memory address. Numeric instructions access and store memory operands using 
only this initial address. For maximum system performance, every operand should start 
at a memory address divisible by the smallest power of two greater than the operand’s 
length (in bytes). 


Table 14-3 lists the numeric instructions by class. No special programming tools are 
necessary to use the numerical capabilities of the Intel486 processor, because all of the 
numeric instructions and data types are directly supported by the ASM386/486 Assem- 
bler, by high-level languages from Intel, and by assemblers and compilers produced by 
many independent software vendors. Numeric routines for the Intel486 processor can be 
written in ASM386/486 Assembler or any of the following higher-level aEeees from 
Intel: 


PL/M-386/486 
C-386/486. 

- FORTRAN-386/486 
ADA-386/486 


Table 14-2. Numeric Data Types : 
Significant | 


Data Type Digits 
: (Decimal) 


Approximate Normalized 
Range (Decimal) 


Word integer  -~82,768 < x < + 32,767 
Short integer : —2x10°9<x<+2-x 10% 


_ Longinteger - |. 64. 8 : —-9xi0%<sxs+9x 10% © 
Packed decimal 80 |.  — 99.99 <= x < + 99...99 (18 digits) 

— Singlereal ae os 4.18 x 10738 <| x | < 3.40 x 1088 
Double real | € 15-16 | 2.23 x 10798 < | x | < 1.79 x 10° 
Extended real* =| | 8.87 x 1074992 < | x | < 1.18 x 104997 


“eguMelent to double exenges format of IEEE Std 854. 
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Table 14-3. Principal Numeric Instructions 


Data Transfer Load (all data types), Store (all data types), Exchange 


Arithmetic Add, Subtract, Multiply, Divide, Subtract Reversed, Divide 
Reversed, Square Root, Scale, Extract, Remainder, Integer Part, 
Change Sign, Absolute Value ; 


Comparison Compare, Examine, Test 
Transcendental Tangent, Arctangent, Sine, Cosine, Sine and Cosine, 2* —1, 
Y -Logs(X), Y - Logs (X+ 1) 
Constants 0, 1, 7, Log,92, Log,2, Log,10, Logse 
Processor Control Load Control Word, Store Control Word, Store Status Word, Load 


Environment, Store Environment, Save, Restore, Clear Excep- 
tions, Initialize . 


In addition, all of the development tools supporting the 8086/8087, 80286/80287 and 
80386 DX/80387 DX NPX can also be used to develop numerical software for the 
Intel486 processor. 


All of these high-level languages provide programmers with access to the computational 
power and speed of the Intel486 processor without requiring an understanding of its 
architecture. Such architectural considerations as concurrency and synchronization are 
handled automatically by these high-level languages. For the ASM386/486 programmer, 
specific rules for handling these issues are discussed in a later section of this manual. 
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CHAPTER 15 
ARCHITECTURE OF THE FLOATING-POINT UNIT 


To the programmer, the Intel486 FPU appears as a set of additional registers, data 
types, and instructions. Refer to Chapter 26 for detailed explanations of the numerical 
instruction set. This chapter explains the numerical registers and data types of the 
Intel486 architecture. 


15.1 NUMERICAL REGISTERS 


The Intel486 numerical registers consist of 
e Eight individually-addressable 80-bit numeric registers, organized as a register stack. 
eo Three 16-bit registers containing: 


The FPU status word. 
The FPU control word. 
The tag word. 


e Error pointers, consisting of: 


Two 16-bit registers containing selectors for the last instruction and operand. 
Two 32-bit registers containing offsets for the last instruction and operand. 
One 11-bit register containing the opcode of the last non-control FPU instruction. 


All of the Intel486 numeric instructions focus on the contents of these FPU registers. 


15.1.1 The FPU Register Stack 


The Intel486 FPU register stack is shown in Figure 15-1. Each of the eight numeric 
registers in the stack is 80 bits wide and is divided into fields corresponding to the 
Intel486 processor’s extended real data type. 


Numeric instructions address the data registers relative to the register on the top of the 
stack. At any point in time, this top-of-stack register is indicated by the TOP (stack 
TOP) field in the FPU status word. Load or push operations decrement TOP by one and 
load a value into the new top register. A store-and-pop operation stores the value from 
the current TOP register and then increments TOP by one. Like stacks in memory, the 
FPU register stack grows down toward lower-addressed registers. 


Many numeric instructions have several addressing modes that permit the programmer 
to implicitly operate on the top of the stack, or to explicitly operate on specific registers 
relative to the TOP. The ASM386/486 Assembler supports these register. addressing 
modes, using the expression ST(0), or simply ST, to represent the current Stack Top and 
ST() to specify the ith register from TOP in the stack (0 <= i s 7). For example, if TOP 
contains 011B (register 3 is the top of the stack), the following statement would add the 
contents of two registers in the stack (registers 3 and 5): 


FADD ST, ST(e) 
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FPU DATA REGISTERS — 


15 QO 47 

[INSTRUCTION PONTER 
ysrarusreaisten | [___Dataromren ___| 
[_raaworo | 
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Figure 15-1. Intel486™ FPU Register Set 


The stack organization and top-relative addressing of the numeric registers simplify sub- 
routine programming by allowing routines to pass parameters on the register stack. By 
using the stack to pass parameters rather than using “dedicated” registers, calling rou- 
tines gain more flexibility in how they use the stack. As long as the stack is not full, each 
routine simply loads the parameters onto the stack before calling a particular subroutine 
to perform a numeric calculation. The subroutine then addresses its parameters as ST, 
ST(1), etc., even though TOP may, for example, refer to physical register 3 in one invo- 
cation and physical register 5 in another. — * | an 


15.1.2 The FPU Status Word 


The 16-bit status word shown in Figure 15-2 reflects the overall state of the FPU. This 
status word may be stored into memory using the FSTSW/FNSTSW, FSTENV/ 
FNSTENV, and FSAVE/FNSAVE instructions, and can be transferred into the AX 
register with the FSTSW AX/FNSTSW AX instructions, allowing the FPU status to be 
inspected by the Integer Unit. | 


The B-bit (bit 15) is included for 8087 compatibility only. It reflects the contents of the 
ES bit (bit 7 of the status word). a 7 


The four FPU condition code bits (C3-C,) are similar to the flags in a CPU: the Intel486 
processor updates these bits to reflect the outcome of arithmetic operations. The effect 
of these instructions on the condition code bits is summarized in Table 15-1. These 
condition code bits are used principally for conditional branching. The FSTSW AX 
instruction stores the FPU status word directly into the AX register, allowing these 
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——FPU BUSY 
TOP OF STACK POINTER 


1 ; 


5 7 0 
Cc 
ERROR SUMMARY | 


STACK FAULT- 

EXCEPTION FLAGS 
PRECISION 
UNDERFLO 


DENORMALIZED OPERAN 
INVALID OPERATION 


ES IS SET IF ANY UNMASKED EXCEPTION BIT IS SET; CLEARED OTHERWISE. 
SEE TABLE 15-1 FOR INTERPRETATION OF CONDITION CODE. 


TOP VALUES: 
000 = REGISTER 0 IS TOP OF STACK 
001 = REGISTER 1 IS TOP OF STACK 


111 = REGISTER 7 IS TOP OF STACK 


| FOR DEFINITIONS OF EXCEPTIONS, REFER TO CHAPTER 3. 
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Figure 15-2. Intel486™ FPU Status Word 


condition codes to be inspected efficiently by Intel486 code. The SAHF instruction can 
copy C;-Cy directly to Intel486 flag bits to simplify conditional branching. Table 15-2 
shows the mapping of these bits to the Intel486 flag bits. 


Bits 11-13 of the status word point to the FPU register that is the current Top of Stack 
(TOP). The enuicance © of the ae top has been described in the prior section on the 
register stack. 


Figure 15-2 shows the six exception flags in bits 0-5 of the status word. Bit 7 is the 
exception summary status (ES) bit. ES is set if any unmasked exception bits are set, and 
is cleared otherwise. Bits 0-5 indicate whether the FPU has detected one of six possible 
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Table 15-1. Condition Code Interpretation 


FCOM, FCOMP, 
FCOMPP, FTST, 
FUCOM, FUCOMP, 
FUCOMPP, FICOM, 
FICOMP 


Operand is not 


Result of comparison ~ comparable or O/U# 


Sign 
or O/U# 


0=reduction complete 
PEM Value r= T= T 1 =reduction incomplete or Sole 


FIST, FBSTP, 

FRNDINT, FST, 

FSTP, FADD, 

FMUL, FDIV, 

FDIVR, FSUB, | UNDEFINED 
FSUBR, FSCALE, 7 

FSQRT, FPATAN, 

F2XM1, FYL2X, 

FYL2XP1 


Operand. class 


Roundup 
or O/U# 


. | Roundup 
0=reduction complete or O/U# 
1=reduction incomplete | (UNDEFINED 

: —— if C2=1) 


FPTAN, FSIN, 
FCOS, FSINCOS 


UNDEFINED 


FCHS, FABS, 
FXCH, FINCSTP, 


FDECSTP, Con- 
stant Loads, 
FXTRACT, FLD, 


Zero 


UNDEFINED or O/U# 


FILD, FBLD, FSTP 
(ext. real) 
FLDENV, FRSTOR ~ Each bit loaded from memory 
FLDCW, FSTENV, 


FSTCW, FSTSW, —— , UNDEFINED 
FCLEX | 


O/U# When both IE and SF bits of status word are set, indicating a stack exception, this bit 

| distinguishes between stack overflow (C1 =1) and underflow (C1 =0).: 

Reduction lf FPREM and FPREM1 produces a remainder that is less than the modulus, reduction is 
complete. When reduction is incomplete the value at the top of the stack is a partial 
remainder, which can be used as input to further reduction. For FPTAN, FSIN, FCOS, and 
FSINCOS, the reduction bit is set if the operand at the top of the stack is too large. In this 

case the original operand remains at the top of the stack. 

Roundup. ._ When the PE bit of the status word is set, this bit indicates whether the last rounding in the 

| | instruction was upward. | 

UNDEFINED Do not rely on finding any specific value in these bits. 
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Table 15-2. Correspondence Between FPU and IU Flag Bits 


exception conditions since these status bits were last cleared or reset. They are “sticky” 
bits, and can only be cleared by the instructions FINIT, FCLEX, FLDENV, FSAVE, 
and FRSTOR. | 


Bit 6 is the stack fault (SF) bit. This bit distinguishes invalid operations due to stack 
overflow or underflow from other kinds of invalid operations. When SF is set, bit 9 (C,) 
distinguishes between stack overflow (C, = 1) and underflow (C, = 0). 


15.1.3 Control Word 


The FPU provides the programmer with several processing options, which are selected 
by loading a word from memory into the control word. Figure 15-3 shows the format and 
encoding of the fields in the control word. 


The low-order byte of this control word configures the numerical exception masking. Bits 
0-5 of the control word contain individual masks for each of the six floating-point excep- 
tion conditions recognized by the Intel486 processor. The high-order byte of the control 
word configures the FPU processing options, ne 


o Precision control 


@ Rounding control 


The precision-control bits (bits 8-9) can be used to set the FPU internal operating 
precision at less than the default precision (64-bit significand). These control bits can be 
used to provide compatibility with the earlier-generation arithmetic processors having 
less precision than the Intel486 processor or Intel387 math coprocessor. The precision- 
control bits affect the results of only the following five arithmetic instructions: ADD, 
SUB(R), MUL, DIV(R), and SORT. No other operations are affected by PC. 


The rounding-control bits (bits 10-11) provide for the common round-to-nearest mode, 
as well as directed rounding and true chop. Rounding control affects the arithmetic 
instructions (refer to Chapter 16 for lists of arithmetic and nonarithmetic instructions) | 
and certain non arthimetic instructions, namely (FLD constant) and (FST(P)mem) 
instructions. 
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RESERVED 
(INFINITY CONTROL) 
ROUNDING CONTROL 


ae PRECISION CONTROL 
15 7 | 0 
RESERVED se teestecenicl 


EXCEPTION MASKS 


PRECISION 

UNDERFLOW 

OVERFLOW 

ZERO DIVIDE 
DENORMALIZED OPERAND 
INVALID OPERATION - 


ROUNDING CONTROL PRECISION CONTROL 
00-ROUND TO NEAREST OR EVEN 00-24 BITS (SINGLE PRECISION) 
01-ROUND DOWN (TOWARD -— -) 01-+RESERVED) 
10—-ROUND UP (TOWARD + -~) 10-53 BITS (DOUBLE PRECISION) 
11—CHOP (TRUNCATE TOWARD ZERO) | 11-64 BITS (EXTENDED PRECISION) 


*This “infinity contro!” bit is not meaningful to the i486™ PROCESSOR. 

To maintain compatibility with Intel287 Math CoProcessor this bit can be programmed; 
however, regardless of its value, the i486™FPU treats infinity in the affine 

sense (— - < + ©). 
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Figure 15-3. Intel486™ FPU Control Word Format 


15.1.4 The FPU Tag Word 


The tag word indicates the contents of each register in the register stack, as shown in 
Figure 15-4. The tag word is used by the FPU itself to distinguish between empty and 
nonempty register locations. Programmers of exception handlers may use this tag infor- 
mation to check the contents of a numeric register without performing complex decoding 
of the actual data in the register. The tag values from the tag word correspond to phys- 
ical registers 0-7. Programmers must use the current top-of-stack (TOP) pointer stored 
in the FPU status word to associate these tag values with the relative stack registers 
ST(0) through ST(7). 
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15 | , ‘e) 


TAG VALUES: 
oo VALID 


ZERO 
a al UNSUPPORTED), INFINITY, OR DENORMAL 
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Figure 15-4. Tag Word Format 


The exact values of the tags are generated during execution of the FSTENV and FSAVE 
instructions according to the actual contents of the nonempty stack locations. During 
execution of other instructions, the Intel486 processor updates the TW only to indicate 
whether a stack location is empty or nonempty. | | 


15.1.5 Opcode Field of Last Instruction 


The opcode field in Figure 15-5 describes the 11-bit format of the last non-control FPU 
instruction executed. The first and second instruction bytes (after all prefixes) are com- 
bined to form the opcode field. Since all floating-point instructions share the same 5 
upper bits in the first instruction byte (following prefixes), they are not stored in the 
opcode field. Note that the second instruction byte is actually located in the low-order 
byte of the stored opcode field. 


7 0 7 0 
15 4 3 %HW2 %&Wt WO YD 1 7 6 6 fH B 2 FH 10 
2ND INSTRUCTION BYTE 1ST INSTRUCTION BYTE hocenceed 


OPCODE FIELD 
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Figure 15-5. Opcode Field 
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15.1.6 The Numeric Instruction and Data Pointers 


The instruction and data pointers provide support for programmed exception-handlers. 
These registers are accessed by the ESC instructions FLDENV, FSTENV, FSAVE, and 
FRSTOR. Whenever the Intel486 processor decodes an ESC instruction, it saves the 
instruction address, the operand address (if present), and the instruction opcode. 


When stored in memory, the instruction and data pointers appear in one of four formats, 
depending on the operating mode of the processor (protected mode or real-address 
mode) and depending on the operand-size attribute in effect (32-bit operand or 16-bit 

operand). In eee mode, the real-address mode formats are used. | 


Figures 15-6 éiroueh 15-9 show these pointers as they are > stored following an FSTENV 
instruction. 


The FSTENV and FSAVE instructions store this data into memory, allowing exception 
handlers to determine the precise nature of any numeric exceptions that may be 
encountered. 


The instruction address saved points to any prefixes that preceded the instruction, as in 
the Intel387 and Intel287 math coprocessors. This is different from the 8087, for which 
the instruction address points only to the ESC instruction opcode. 


Note that the processor control instructions FINIT, FLDCW, FSTCW, FSTSW, 
FCLEX, FSTENV, FLDENV, FSAVE, and FRSTOR do not affect the data pointer. 

Note also that, except for the instructions just mentioned, the value of the data pointer is 
_ undefined if the prior ESC instruction did not have a memory operand. 


32-BIT PROTECTED MODE FORMAT 


3 2 1 

To. 3. 5 7 0 
RESERVED CONTROL WORD 
RESERVED STATUS WORD 
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Figure 15-6. Protected Mode Numeric Instruction and Data Pointer Image in Memory, 
32-Bit Format 
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32-BIT REAL-ADDRESS MODE FORMAT 


i 3 5 7 0 


RESERVED _ INSTRUCTION POINTER 10...00 


0000 INSTRUCTION POINTER 10...00 ‘0 OPCODE 10...00 


RESERVED OPERAND POINTER 10...00 


0000 OPERAND POINTER 10...00 000000000000 
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Figure 15-7. Real Mode Numeric Instruction and Data Pointer Image.in Memory, . 
32-Bit Format 


f 
16-BIT PROTECTED MODE FORMAT 


15 ; 7 0 
aoe maar 


CS SELECTOR 
OPERAND OFFSET 
_ OPERAND SELECTOR . 
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Figure 15-8. Protected Mode Numeric Instruction and Data Pointer Image in Memory, 
16-Bit Format 


15.2 COMPUTATION FUNDAMENTALS 


This section covers numeric programming concepts that are common to all applications. 
It describes the Intel486 FPU’s internal number system and the various types of numbers 
that can be employed in numeric programs.: The most commonly used options for round- 
ing and precision (selected by fields in the control word) are described, with exhaustive 
coverage of less frequently used facilities deferred to later sections. Exception conditions 
that may arise during execution of floating-point instructions are also described along 
with the options that are available for responding to these exceptions. 
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16-BIT REAL-ADDRESS MODE AND 
_ VIRTUAL-8086 MODE FORMAT 


15 is 7 0 
| 
[meno 


INSTRUCTION POINTER ,... 3 


IP tose | OPCODE jo. | 
OPERAND POINTER ,,.0 
| DP ee [0]0 0000000000 CH 
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Figure 15-9. Real Mode Numeric Instruction and Data Pointer Image in Memory, . 
16-Bit Format | 7 Bake 


15.2.1 Number System 


The system of real numbers that people use for pencil and paper calculations is concep- 
tually infinite and continuous. There is no upper or lower limit to the magnitude of the 
numbers one can employ in a calculation, or to the precision (number of significant 
digits) that may be required to represent them. For any given real number, there are 
always arbitrarily many numbers both larger and smaller. There are also arbitrarily many 
numbers between any two real numbers. For example, between 2.5 and 2.6 are 2.51, 
2.5897, 2.500001, etc. | | s | | 


While ideally it would be desirable for a computer to be able to operate on the entire 
real number system, in practice this is not possible. Computers, no matter how large, 
ultimately have fixed-size registers and memories that limit the system of numbers that 
can be accommodated. These limitations determine both the range and the precision of 
numbers. The result is a set of numbers that is finite and discrete, rather than infinite 
and continuous. This sequence is a subset of the real numbers that is designed to form a 
useful approximation of the real number system. 


Figure 15-10 superimposes the basic Intel486 floating-point number system on a real 
number line (decimal numbers are shown for clarity, although the Intel486 processor 
actually represents numbers in binary). The dots indicate the subset of real numbers the. 
Intel486 processor can represent as data and final results of calculations. The range of 
double-precision, normalized numbers is approximately +2.23 x. 10~°°8 to +1.79 x 
10°°8. Applications that are required to deal with data and final results outside this range 
are rare. For reference, the range of the IBM System 370* is about +0.54 x 107” to 
+0.72 x 10”. ae Pt mS te is as ae 
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(NORMALIZED) (NORMALIZED) 


-§ -4 -3 -2 -1 
1.79 X ae, 


NEGATIVE RANGE POSITIVE RANGE > 
| 
| 
| 


+2 


—_e——__—_e—__—__0 
| | 2.000000000000000 
(NOT REPRESENTABLE) 


1.999999999999999 
PRECISION |} 16 DIGITS ——_>| 
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Figure 15-10. Double-Precision Number System 


The finite spacing in Figure 15-10 illustrates that the Intel486 processor can represent a 
great many, but not all, of the real numbers in its range. There is always a gap between 
two adjacent floating-point numbers, and it is possible for the result of a calculation to 
fall in this space. When this occurs, the FPU rounds the true result to a number that it 
can represent. Thus, a real number that requires more digits than the FPU can accom- 
modate (e.g., a 20-digit number) is represented with some loss of accuracy. Notice also 
that the representable numbers are not distributed evenly along the real number line. In 
fact, the same number of representable numbers exists between any two successive pow- 
ers of 2 (i.e., as many representable numbers exist between 2 and 4 as between 65,536 
and 131,072). Therefore, the gaps between representable numbers are larger as the 
numbers increase in magnitude. All integers in the range +2™ (approximately +10'”), 
however, are exactly representable. | 


In its internal operations, the FPU actually employs a number system that is a substan- 
tial superset of that shown in Figure 15-10. The internal format (called extended real) 
extends the representable (normalized) range to about +3.37 x 107*7* to +1.18 x 
10*°°*, and its precision to about 19 (equivalent decimal) digits. This format is designed 
to provide extra range and precision for constants and intermediate results, and is not 
normally intended for data or final results. 


From a practical standpoint, the Intel486 processor’s set of real numbers is sufficiently 
large and dense so as not to limit the vast majority of applications. Compared to most 
computers, including mainframes, the Intel486 processor provides a very good approxi- 
mation of the real number system. It is important to remember, however, that it is not an 
exact representation, and that computer arithmetic on real numbers is inherently 
approximate. | 
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15.2.2 Data Types and Formats > 


The Intel486 processor recognizes : seven numeric data types for memory-based. values, 
divided into three classes: binary integers, packed decimal integers, and binary reals. A 
later section describes how these formats are stored in memory (the sign is always 
located in the mee -addressed byte). 


Figure 15-11 summarizes the format of each data type. In the figure, the most significant 
digits of all numbers (and fields within numbers) are the leftmost digits. | 


_ ~=- MOST SIGNIFICANT BYTE | HIGHEST ADDRESSED BYTE 
A 
PRECISION 
ay “=I (TWO’S 
WORD INTEGER 16 BITS COMPLEMENT: 


SHORT INTEGER - 32 BITS, -. 


eae 7 - el a : TWO’S | 
LONG INTEGER - 64 BITS COMPLEMENT) 


ou 7 ae MAGNITUDE 
PACKED BCD 18 DIGITS d,, dis dis d., d,; d,, d,, dio d, d, d, d, d, d, d, d, d, d, 


as Oe 2" ot BIASED a Reem 
SINGLE PRECISION] 10*% | 24BITS | Slcmmeee SIGNIFICAND 
DOUBLE =| qg=s08 | | Is BIASED "— SIGNIFICAND | 
PRECISION 10" | S53 BITS [PL EXPONENT 
pRecISION | 1° | OS4BITS” EXPONENT. 


ay S = SIGN BIT (0 = positive, 1 = negative) 
(2) d, = DECIMAL DIGIT (TWO PER TYPE) ° hi 
(3) X= (ene NO SIGNIFICANCE; 387 MATH COPROCESSOR IGNORES WHEN LOADING, ZEROS WHEN 
N 
(4) A= = POSITION OF IMPLICIT BINARY POINT 
(5) | = INTEGER BIT OF SIGNIFICAND; STORED IN TEMPORARY REAL, IMPLICIT IN 
SINGLE AND DOUBLE PRECISION 
(6) EXPONENT BIAS eee Ve 
: SINGLE: 127 (7FH): 
DOUBLE: 1023 (3FFH) 
EXTENDED REAL: 16383 (3FFFH) 
‘. .(7) PACKED BCD: (—.1)§ (D,,...D,) 
(8) REAL: (— 1) (28's) (FoF...) pe 
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Figure 15-11, Numerical Data Formats 
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15.2.2.1 BINARY INTEGERS 


The three binary integer formats are identical except for length, which governs the range 
that can be accommodated in each format. The leftmost bit is interpreted as the num- 
ber’s sign: 0=positive and 1=negative. Negative numbers are represented in standard 
two’s complement notation (the binary integers are the only Intel486 processor format to 
use two’s complement). The quantity zero is represented with a positive sign (all bits are 
0). The Intel486 processor word integer format is identical to the 16-bit signed integer 
data type; the short integer format is identical to the 32-bit signed integer data type. 


The binary integer formats exist in memory only. When used by the Intel486 FPU, they 
are automatically converted to the 80-bit extended real format. All binary integers are 
exactly representable i in the extended real format. 


15.2.2.2 DECIMAL INTEGERS 


Decimal integers are stored in packed decimal notation, with two decimal digits 
“packed” into each byte, except the leftmost byte, which carries the sign bit (0= positive, 
1=negative). Negative numbers are not stored in two’s complement form and are distin- 
guished from positive numbers only by the sign bit. The most significant digit of the 
number is the leftmost digit. All digits must be in the range 0-9. 


The decimal integer format exists in memory only. When used by: the Intel486 FPU, it is 
automatically converted to the 80-bit extended real format. All decimal integers. are 
exactly representable in the extended real format. | , 


15.2.2.3 REAL NUMBERS 
The Intel486 processor represents real numbers of the form: 


co 1)°2"(bo,b,b b3..b,_ 1) 


where: 

S = 0 or 1 

E = any integer between ain and Emax, inclusive | 
b, =Oorl 

p = number of bits of precision 


Table 15-3 summarizes the parameters for each of the three real-number formats. 
The Intel486 processor stores real numbers in a three-field binary format that resembles 
scientific, or exponential, notation. The format consists of the following fields: 


e The number’s significant digits are held in the significand field, bo,b;b5b3..b p-1- (The 
term “significand” is analogous to the term “mantissa” used to describe floating point 
numbers on some computers.) | 
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e The exponent field, e = E+bias, locates the binary point within the significant digits 
(and therefore determines the number’s magnitude). (The term “exponent” is analo- 
gous to the term “characteristic” used to describe floating point numbers on some 
computers. ) ;_~ * . | 7 


e The 1-bit sign field indicates whether the number is positive or negative. Negative 
numbers differ from positive numbers only in the sign bits of their significands.. . 


Table 15-4 shows how the real number 178.125 (decimal) is stored in the single real 
format. The table lists a progression of equivalent notations that express the same value 
to show how a number can be converted from one form to another. (The ASM386/486 
and PL/M-386/486 language translators perform a similar process when they encounter 
programmer-defined real number constants.) Note that not every decimal fraction has . 
an exact binary equivalent. The decimal number 1/10, for example, cannot be expressed 
exactly in binary (just as the number 1/3 cannot be expressed exactly in decimal). When 
a translator encounters such a value, it produces a rounded binary approximation of the 
decimal value. . ee 


Table 15-3. Summary of Format Parameters 


32 64. 80 


Format width in bits 


p (bits of precision) 


Exponent width in bits 

Emax —-+16383 
Emin — 16382 
Exponent bias | _ + 16383 


Table 15-4. Real Number Notation 


Ordinary Decimal 78828 
Scientific Decimal 
Scientific Binary 


Scientific Binary 1,0110010001E10000110 
(Biased Exponent) , 


Biased Exponent — Significand 


Single Format (Normalized) 10000110 | ~—01100100010000000000000 
| | : tg (implicit) 
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The Intel486 processor usually carries the digits of the significand in normalized form. 
This means that, except for the value zero, the significand contains an integer bit and 
fraction bits as follows: 


1 afff...£f 


where , indicates an assumed binary point. The number of fraction bits varies according 
to the real format: 23 for single, 52 for double, and 63 for extended real. By. normalizing 
real numbers so that their integer bit is always a 1, the Intel486 processor eliminates 
leading zeros in small values (| X | < 1). This technique maximizes the number of 
significant digits that can be accommodated in a significand of a given width. Note that, 
in the single and double formats, the integer bit is implicit and is not actually stored; the 
integer bit is as present in the extended format only. 


If one were to examine only the significand sith its assumed binary point, all normalized 
real numbers would have values greater than or equal to 1 and less than 2. The exponent 
field locates the actual binary point in the significant digits. Just as in decimal scientific 
notation, a positive exponent has the effect of moving the binary point to the right, and 
a negative exponent effectively moves the binary point to the left, inserting leading zeros 
as necessary. An unbiased exponent of zero indicates that the position of the assumed 
binary point is also the position of the actual binary point. The exponent field, then, 
determines a real number’s magnitude. , 


In order to simplify comparing real numbers (e.g., for sorting), the Intel486 processor 
stores exponents in a biased form. This means that a constant is added to the true 
exponent described above. As Table 15-3 shows, the value of this bias is different for each 
real format. It has been chosen so as to force the biased exponent to be a positive value. 
This allows two real numbers (of the same format and sign) to be compared as if they 
are. unsigned binary integers. That is, when comparing them bitwise from left to right 
(beginning with the leftmost exponent bit), the first bit position that differs orders the 
numbers; there is no need to proceed. further with the comparison. A number’s true 
exponent can be determined simply by subtracting the bias value of its format. 


The single and double real formats exist in memory only. If a number in one of these 
formats is loaded into an FPU register, it is automatically converted to extended format, 
the format used for all internal operations. Likewise, data in registers can be converted 
to single or double real for storage in memory. The extended real format may be used in 
memory also, typically to store intermediate results that cannot be held in registers. 


Most applications should use the double format to store real-number data and results; it 
provides sufficient range and precision to return correct results with a minimum of pro- 
grammer attention. The single real format is appropriate for applications that are con- 
strained by memory, but it should be recognized that this format provides a smaller 
margin of safety. It is also useful for the debugging of algorithms, because roundoff 
problems will manifest themselves more quickly in this format. The extended real format 
should normally be reserved for holding intermediate results, loop accumulations, and 
constants. Its extra length 1 is designed to shield final results from the effects of rounding 
and overflow/underflow in intermediate calculations. However, the range and precision 
of the double format are adequate for most microcomputer applications. 
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15.2.3 Rounding Control 


Internally, the Intel486 FPU employs three extra bits (guard, round, and sticky bits) that 
enable it to round numbers in accord with the infinitely precise true result of a compu- 
tation; these bits are not accessible to programmers. Whenever the destination can rep- 
resent the infinitely precise true result, the FPU delivers it. Rounding occurs in 
arithmetic and store operations when the format of the destination cannot exactly rep- 
resent the infinitely precise true result. For example, a real number may be rounded if it 
is stored in a shorter real format, or in an integer format. Or, the pute precise true 
result may be rounded when it is returned to a fCEsier 


The Intel486 FPU has four rounding modes, selectable by the RC field in the control 
word (see Figure 15-3). Given a true result b that cannot be represented by the target 
data type, the FPU determines the two representable numbers a and c that most closely 
bracket b in value (a < b < c). The processor then rounds (changes) b to a or toc 
according to the mode selected by the RC field as shown in Table 15-5. Rounding 
introduces an error in a result that is less than one unit in the last place to which the 
Se is rounded. 


e “Round to nearest” is the default mode and is suitable for most applications; it 
_ provides the most accurate and statistically unbiased estimate of the true result. 


« The “chop” or “round toward zero” mode is provided for integer arithmetic 
_ applications. 7 . = - 


e “Round up” and “round down” are termed directed rounding and can be used to 
implement interval arithmetic. Interval arithmetic is used to determine upper and 
lower bounds for the true result of a multi-step computation, when the intermediate 
results of the oapaon are subject to rounding. 


Rounding control affects only the arithmetic instructions (refer to Chapter 16 for lists of 
arithmetic and nonarithmetic instructions). 


Table 15-5. Rounding Modes 


| RC Field *: Rounding Mode - Rounding Action | 


Round to nearest eee Closer to b of aor c; if equally close, select 
even number (the one whose least significant 
bit is zero). 


Round down (toward —o).. a 


Round up (toward +0) ~ Git 


| | Chop (toward 0) — | Smaller in magnitude of a or c. 


NOTE: a<b<G aand care successive representable numbers; b is not representable. 
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15.2.4 Precision Control 


The Intel486 FPU allows results to be calculated with either 64, 53, or 24 bits of preci- 
sion in the significand as selected by the precision control (PC) field of the control word. 
The default setting, and the one that is best suited for most applications, is the full 64 
bits of significance provided by the extended real format. The other settings are required 
by the IEEE standard and are provided to obtain compatibility with the specifications of 
certain existing programming languages. Specifying less precision nullifies the advan- 
tages of the extended format’s extended fraction length. When reduced precision is 
specified, the rounding of the fractional value clears the unused bits on the right to 
zeros. Precision Control affects only the instructions FADD, FSUB, FMUL, FDIV, and 
FSQRT. 
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CHAPTER 16 
SPECIAL COMPUTATIONAL SITUATIONS 


Besides being able to represent positive and negative numbers, the numerical data for- 
mats may be used to describe other entities. These special values provide extra flexibility, 
but most users will not need to understand them in order to use the numerics capabili- 
ties of the Intel486 processor successfully. This section describes the special values that 
may occur in certain cases and the significance of each. The numeric exceptions are also 
described, for writers of exception handlers and for those interested in probing the limits 
of numeric computation using the Intel486 processor. 


The material presented in this section is mainly of interest to programmers concerned 
with writing exception handlers. Many readers will only need to skim this section. 


When discussing these special computational situations, it is useful to distinguish 
between arithmetic instructions and nonarithmetic instructions. Nonarithmetic instructions 
are those that have no operands or transfer their operands without substantial change; 
arithmetic instructions are those that make significant changes to their operands: 
Table 16-1 defines these two classes of instructions. 


16.1 SPECIAL NUMERIC VALUES 


The numerical data formats of the Intel486 processor encompass encodings for a variety 
of special values in addition to the typical real or integer data values that result from 
normal calculations. These special values have significance and can express relevant 
information about the computations or operations that produced them. The various 
types of special values are os 


e Denormal real numbers «| 

e Zeros | | 

e Positive and negative infinity 

e NaN (Not- ua 

e Indefinite 

e Unsupported formats 

The following sections explain the origins and significance of each of these special val- 


ues. Tables 16-6 through 16-9 at the end of this section show how each of these special 
values is encoded for each of the numeric data types. 


16.1.1 Denormal Real Numbers. 


The Intel486 processor generally stores nonzero real numbers in normalized floating- 
point form; that is, the integer (leading) bit of the significand is always a one. (Refer to 
Chapter 15 for a review of operand formats.) This bit is explicitly stored in the extended 
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Table 16-1. Arithmetic and Nonarithmetic Instructions 


FABS 

FCHS — 

~ FCLEX. 

FDECSTP 

FFREE 

FINCSTP | 

FINIT 

FLD (register-to-register) 

FLD (extended format from memory) 


~ FLD constant 


FLDCW 
FLDENV 
FNOP 
-FRSTOR 
 FSAVE 
FST(P) (register-to-register) 
FSTP (extended format to memory) 
FSTCW 
FSTENV 
FSTSW 
- FWAIT » 
FXAM 
FXCH 


FADD (P) — 


FBLD 


FBSTP 


~FCOMP(P)(P) 
FCOS 


FDIV(R)(P) 
FIADD 


- FICOM(P): 
_ FIDIV(R) 


FILD 
FIMUL 


FIST(P) 


FISUB(R) | 
FLD (conversion) 
FMUL(P) 

FPATAN 

FPREM 

FPREM1 


-FPTAN 


FRNDINT 
FSCALE 


FSIN | | 
FSINCOS | 
FSQRT | 

FST(P) (conversion) 
FSUB(R)(P) 

FTST 
FUCOM(P)(P) 
FXTRACT 

FYL2X 

FYL2XP1 


format, and is implicitly assumed to be a one (1,) in the single and double formats. Since 
leading zeros are eliminated, normalized storage allows the maximum ee of signif- 
icant digits to be held in a significand of a given width. 


When a numeric value becomes very close to zero, normalized floating-point storage 
cannot be used to express the value accurately. The term finy is used here to precisely 
define what values require special handling. A number R is said to be tiny when Sa 
<R<0Oor0<R< +2©™". (As defined in Chapter 15, Emin is —126 for single format, 
—1022 for double format, and —16382 for extended format.) In other words, a nonzero 
number is tiny if its exponent would be too negative to store in the destination format. 
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To accommodate these instances, the Intel486 processor can store and operate on reals 
that are not normalized, i.e., whose significands contain one or more leading zeros. 
Denormals typically arise when the result of a calculation yields a value that is tiny. 


Denormal values have the following properties: 
© The biased floating-point exponent is stored at its smallest value (zero) 


° The integer bit of the significand (whether explicit or implicit) is zero 


The leading zeros of denormals permit smaller numbers to be represented, at the possi- 
ble cost of some lost precision (the number of significant bits is reduced by the leading 
zeros). In typical algorithms, extremely small values are most likely to be generated as 
intermediate, rather than final, results. By using the extended real format for holding 
intermediate values, quantities as small as +3.37 x 10°*°* can be represented; this 
makes the occurrence of denormal numbers a rare phenomenon in Intel486 numerical 
applications. Nevertheless, the Intel486 processor can load, store, and operate on denor- 
malized real numbers when they do occur. | 


Denormals receive special treatment by the Intel486 processor in three respects: 


o The Intel486 processor avoids creating denormals whenever possible. In other words, 
it always normalizes real numbers except in the case of tiny numbers. | 


o The Intel486 processor provides the unmasked underflow exception to permit pro- 
grammers to detect cases when denormals would be created. | 


e The Intel486 processor provides the denormal exception to permit programmers to 
_ detect cases when denormals enter into further calculations. 


Denormalizing means incrementing the true result’s exponent and inserting a corre- 
sponding leading zero in the significand, shifting the rest of the significand one place to 
the right. Denormal values may occur in any of the single, double, or extended formats. 
Table 16-2 shows the range of denormalized values in each format. 


Denormalization produces either a denormal or a zero. Denormals are readily identified 
by their exponents, which are always the minimum for their formats; in biased form, this 
is always the bit string: 00..00. This same exponent value is also assigned to the zeros, but 
a denormal has a nonzero significand. A denormal in a register is tagged special. 
Tables 16-8 and 16-9 later in this chapter show how denormal values are encoded in 
each of the real data formats. | 


Table 16-2. _Denormalized Values 


Smallest Magnitude | Largest Magnitude | | 
(Approx.) | (Exact) (Approx.) 


9-150 9—126__9—150 


Single. Precision 
-g-1022__9-1075 


Double Precision — ee 


Extended | 0- 16461 . . Be leave p= 16461 
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The denormalization process causes loss of significance if low-order one-bits bits are 
shifted off the right of the significand. In a severe case, all the significand bits of the true 
result are shifted out and replaced by the leading zeros. In this case, the result of denor- 
malization is a true zero, and, if the value is in a register, it is tagged as a zero. 


Denormals are rarely encountered in most applications. Typical debugged algorithms 
generate extremely small results during the evaluation of intermediate subexpressions; 
the final result is usually of an appropriate magnitude for its single or double format real 
destination. If intermediate results are held in temporary real, as is recommended, the 
great range of this format makes underflow very unlikely. Denormals are likely to arise 
only when an application generates a great many intermediates, so many that they can- 
not be held on the register stack or in extended format memory variables. If storage 
limitations force the use of single or double format reals for intermediates, and small 
values are produced, underflow may occur, and, if masked, may generate denormals. 


When a denormal number in single or double format is used as a source operand and 
the denormal exception is masked, the Intel486 FPU automatically nome the num- 
ber when it is converted to extended format. 


16.1.4.1 DENORMALS AND GRADUAL UNDERFLOW 


Floating-point arithmetic cannot carry out all operations exactly for all operands; 
approximation is unavoidable when the exact result is not representable as a floating- 
point variable. To keep the approximation mathematically tractable, the hardware is 
made to conform to accuracy standards that can be modeled by certain inequalities 
_ instead of equations. Let the assignment 


X—-—Y@Z_ : (where @ is some operation) 


represent a typical operation. In the default rounding mode (round to nearest), each 
operation is carried out with an absolute error no larger than half the separation 
between the two floating-point numbers closest to the exact results. Let x be the value 
stored for the variable whose name in the program is X, and similarly y for Y, and z for 
Z. Normally y and z will differ by accumulated errors from what is desired and from what 
would have been obtained in the absence of error. For the calculation of x we assume 
that y and z are the best approximations available, and we seek to compute x as well as 
we can. If y@z is representable exactly, then we expect x = y@z, and that is what we get 
for every algebraic operation on the Intel486 processor FPU (i.e., when y@z is one of 
ytzZ,y—Z, yXZ, y+Z, sqrt z). But if y@z must be approximated, as is usually the case, then 
x must differ from y@z by no more than half the difference between the two represent- 
able numbers that straddle y@z. That difference depends on two factors: 


1. The precision to which the calculation is carried out, as determined either by the 
precision. control bits or by the format used in memory. On the Intel486 processor, 
the precisions are single (24 significant bits), double (53 significant bits), and 

_ extended (64 significant bits). 
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2. How close y@z is to zero. In this respect the existence of denormal numbers on the 
Intel486 processor provides a distinct advantage over systems that do not admit 
denormal numbers. 


In any floating-point number system, the density of representable numbers is greater 
near zero than near the largest representable magnitudes. However, machines that do 
not use denormal numbers suffer from an enormous gap between zero and its closest 
neighbors. Figures 16-1 and 16-2 show what happens near zero in two kinds of floating- 
point number systems. | | 


Figure 16-1 shows a floating-point number system that (like the Intel486 processor) 
admits denormal numbers. For simplicity, only the non-negative numbers appear and the 
figure illustrates a number system that carries just four significant bits instead of the 24, 
53, or 64 significant bits that the Intel486 processor offers. 


Each vertical tick mark stands for a number representable in four significant bits, and 
the longer verticals stand for powers of 2. The horizontal marks are evenly spaced; those 
uncrossed by vertical tick marks stand for numbers unrepresentable at this precision. 
The denormal numbers lie between 0 and the nearest normal power of 2. They are no 
less dense than the remaining nonzero numbers. | 


Figure 16-2 shows a floating-point number system that (unlike the Intel486 or Intel387 
FPUs) does not admit denormal numbers. There are two large gaps, one on the positive 
side of zero (as illustrated) and one on the negative side of zero (not illustrated). The 
gap between zero and the nearest neighbor of zero differs from the gap between that 
neighbor and the next bigger number by a factor of about 8.4 x 10° for single, 4.5 x 10° 
for double, and 9.2 x 10°® for extended format. Those gaps would complicate error 
analysis. | | | 
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Numbers 


Denormals 
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Figure 16-2. Floating-Point System without Denormals 
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The advantage of denormal numbers is apparent when one considers what happens in 
either case when the underflow exception is masked and y@z falls into the space 
between zero and the smallest normal magnitude. The Intel486 processor returns the 
nearest denormal number. This action might be called “gradual underflow.” The effect 
is no different from the rounding that can occur when y@z falls in the normal range. 


On the other hand, the system that does not have denormal numbers returns zero as the 
result, an action that can be much more inaccurate than rounding. This action could be 
called “abrupt underflow.” The Intel486 FPU and Intel387 math coprocessor handle 
denormal values differently than the 8087/Intel287 math coprocessors. See Section 16.2.4 
for more details. 


16.1.2 Zeros 


The value zero in the real and decimal integer formats may be signed either positive or 
negative, although the sign of a binary integer zero is always positive. For computational 
purposes, the value of zero always behaves identically, regardless of sign, and typically 
the fact that a zero may be signed is transparent to the programmer. If necessary, the 
FXAM instruction may be used to determine a zero’s sign. 


A programmer can code a zero, or it can be created by the FPU as its masked response 
to an underflow exception. If a zero is loaded or generated in a register, the register is 
_ tagged zero. Table 16-3 lists the results of instructions executed with zero operands and 
also shows how a zero may be created from nonzero operands. 


Table 16-3. Zero Operands and Results 


a 


FLD,FBLD 
FILD 
FST,FSTP,FRNDINT 


FBSTP 
FIST,FISTP 


FCHS 


FABS 
Addition — | +0 plus +0 
, —0 plus —0 
_ +0 plus —0,. —0O plus +0 
—X plus +X, +X plus —X 
+0 plus +X, +X plus +0 
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Table 16-3. Zero Operands and Results 


ee 


Subtraction +0 minus —0 
—O minus +0 
+0 minus +0, —0 minus 
—0 
+X minus +X, —X minus 
—X 
+0 minus +X 
+X minus +0 
Multiplication +0 x +0 
+0 X+X, +X xX +0 
+Xx +Y, -X x -Y 
+x x -Y, -—X x +Y 
Division +0 + +0 Invalid Operation 
+X + +0 co (Zero Divide) 
+X + +0 
+0 + +X, -—O + —X 
+0 + -—X, -O0 + +X 
Se Nee es EY 
=-X + +Y, +X+-Y 
FPREM, FPREM1 +0 rem +0° Invalid Operation 
+X rem +0 Invalid Operation 
+0 rem +X +0 
+X —-O . 
+Y +0 Y exactly divides X 
+Y —0 Y exactly divides X 
FSQRT 
Compare = +X 
+0 


FTST 
FXAM 
| C,=C,=1; C,=C,=0 
FSCALE +0 scaled by —« ; *0 
+0 scaled by +0 Invalid Operation 
+0 scaled by X *0 | 
FXTRACT ST = + 0,ST(1) = —~, 
Zero divide 
ST = —0,ST(1) =—%, 
Zero divide 
FPTAN : : a | *0 
FSIN (or SIN *0 
result of FSINCOS) | 
FCOS (or COS | | +1. 
result of FSINCOS) 


16-7 


intel ‘ SPECIAL COMPUTATIONAL SITUATIONS 


Table 16-3. Zero Operands and Results 


ee 


FPATAN | — +0+ 4+X 
+0 + —X 
+X ++ 
+0 + 
+0 + 
+o +t 
—oO ++ 
+0 + 
+0 + 
F2XM1 | — +0 
| " — SOM nee % | , 
FYL2X | . +Y xX log(+0) | . Zero Divide 
Ng Tei | +0 x log(+0) Invalid Operation: . 


FYLOXP1 iss —-+Y¥ x log(t0+1) *0 
7 —Y x log(+0+ 1) = *0 


X and Y denote nonzero positive operands. . 
7 When extreme underflow denormalizes the result to zero. 
2 Sign determined by rounding mode: + for nearest, up, or chop, — for down. 
3 When 0 < X < 1 and rounding mode is not up. — 
4 - When —1 < X < 0 and rounding meee is not down. 
a Sign of original zero operand. 
# ‘Sign of original X operand. 
—# Complement of sign of original X operand. 
_. Exclusive OR of the signs of the operands. 


16.1.3 Infinity . 


The real formats support signed representations of infinities. These values are encoded 
with a biased exponent of all ones and a significand of 1,00..00; if the infinity is in a 
register, it is tagged special. 


A programmer can code an infinity, or it can be created by the FPU as its masked 
response to an overflow or a zero divide exception. Note that depending on rounding 
mode, the masked response may create the largest valid value representable in the des- 
tination rather than infinity. 


The signs of the infinities are observed, and comparisons are possible. Infinities are 
always interpreted in the affine sense; that is, —o% < (any finite number) < +0, Arith- 
metic on infinities is always exact and, therefore, signals no exceptions, except for the 
invalid operations species in Table 16-4. 


16.1.4 NaN (Not-a-Number) 


A NaN (Not a Number) is a member of a class of special values that exists in the real 
formats only. A NaN has an exponent of 11..11B, may have either sign, and may have 
any significand except 1,00..00B, which is assigned to the infinities. A NaN in a register 
is tagged special. 
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Table 16-4. Infinity Operands and Results 


FLD,FBLD 
FST,FSTP,FRNDINT 
FCHS 
| + 00 
FABS at 7 +0 
Addition +o plus + | +00 
—o plus —« : =O 
+o plus —0 Invalid Operation 
—o plus +a Invalid Operation 
+o plus +X *00 
+X plus +00 * 00 
Subtraction +oo minus —0 +00 
—o minus +0 —o 
+o minus +00 Invalid Operation 
—co minus —co Invalid Operation 
+oo minus +X *o0 
+X minus + 
Multiplication +0 X +00 
OO EY. YX 
+0 X +00, +o xX Invalid Operation 
Division shoo + Invalid Operation 
+0 + 


+X + 


FPREM,FPREM1 | Invalid Operation 
Invalid Operation © 
| $X,Q=0_ 
FSQRT . Invalid Operation 
“+ 00 a 3 


Compare : 00 


=O = 


+o >) 
—0 < +0 
+a > X 
—o < X 
X < +0 
X > +0 
+o >Q 
FIST —«o <0 
FSCALE +o scaled by —« Invalid Operation 
+o scaled by + *00 
+oo scaled by +X Fe 
+0 scaled by —~ +0, 
+0 scaled by ~ Invalid Operation 
+Y scaled by + - #F00 
| +Y scaled by —2 : #0 
FXTRACT | +00 | Sb = 2. SI) = ae 
FXAM | CO=C2=1;C1=C3=0 
| | Co=Cl1=C2=1:.C3=0 
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Table 16-4. Infinity Operands and Results 


ee 


FPATAN 7 | *ar/2 
#0 
#7 
. *ar/4 
*3mr/4 
*7/2 
+0 
Ar 
—0- 
77 
+ 00 
. —1 
+o xXlog(1) | Invalid Operation 
+o xX log (X>1) | *oo 
0.<X<1) : —*oo 
Hoo 
~ Invalid Operation 
Invalid Operation 
FYL2XP1 > ge | s 4 Invalid Operation 


*o0 


Invalid Operation 
Invalid Operation 


X Zero or nonzero positive operand. 
Y Nonzero positive operand. — 
- Sign of original infinity operand. 
as Complement of sign of original infinity operand. 
$ Sign of original operand. 
Exclusive OR of signs of operands. 
# Sign of the original Y operand. 
1 Sign of original zero operand. 


There are two classes of NaNs: signaling (SNaN) and quiet (QNaN). Among the 
QNaNs, the value real indefinite is of special interest. 


16.1.4.1 SIGNALING NaNs 


A signaling NaN is a NaN that has a zero as the most significant bit of its significand. 
The rest of the significand may be set to any value. The FPU never generates a signaling 
NaN as a result; however, it recognizes signaling NaNs when they appear as operands. 
Arithmetic operations (as defined at the beginning of this chapter) on a signaling NaN 
cause an invalid-operation exception (except for load operations from the stack, FXCH, 
FCHS, and FABS). 
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By unmasking the invalid operation exception, the programmer can use signaling NaNs 
to trap to the exception handler. The generality of this approach and the large number 
of NaN values that are available provide the sophisticated programmer with a tool that 
can be applied to a variety of special situations. | | 


For example, a compiler could use signaling NaNs as references to uninitialized (real) 
array elements. The compiler could preinitialize each array element with a signaling 
NaN whose significand contained the index (relative position) of the element. If an 
application program attempted to access an element that it had not initialized, it would 
use the NaN placed there by the compiler. If the invalid operation exception were 
unmasked, an interrupt would occur, and the exception handler would be invoked. The 
exception handler could determine which element had been accessed, since the operand 
address field of the exception pointers would point to the NaN, and the NaN would 
contain the index number of the array element. 


16.1.4.2 QUIET NaNs 


A quiet NaN is a NaN that has a one as the most significant bit of its significand. The 
Intel486 processor creates the quiet NaN real indefinite (defined below) as its default 
response to certain exceptional conditions. The Intel486 processor may derive other 
QNaNs by converting an SNaN. The Intel486 processor converts a SNaN by setting the 
most significant bit of its significand to one, thereby generating an QNaN. The remain- 
ing bits of the significand are not changed; therefore, diagnostic information that may be 
stored in these bits of the SNaN is propaedtce.) into the QNaN. 


The Intel486 processor will generate the special QNaN, real indefinite, as its masked 
response to an invalid operation exception. This NaN is signed negative; its significand is 
encoded 1,100..00. All other NaNs represent values created by programmers or derived 
from values created by programmers. | 


Both quiet and signaling NaNs are supported in all operations. A QNaN is generated as 
the masked response for invalid-operation exceptions and as the result of an operation 
in which at least one of the operands is a QNaN. The Intel486 processor applies the 
rules shown in Table 16-5 when generating a QNaN. | 


Note that handling of a QNaN operand has greater priority than all exceptions except 
certain invalid-operation exceptions (refer to the section “Exception Priority” in this 
enapiy): 


Giiet NaNs could be used, for example, to speed up debugging. In its early testing 
phase, a program often contains multiple errors. An exception handler could be written 
to save diagnostic information in memory whenever it was invoked. After storing the 
diagnostic data, it could supply a quiet NaN as the result of the erroneous instruction, 
and that NaN could point to its associated diagnostic area in memory. The program 
would then continue, creating a different NaN for each error. When the program ended, 
the NaN results could be used to access the diagnostic data saved at the time the errors 
occurred. Many errors could thus be diagnosed and corrected in one test run. | 
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Table 16-5. Rules for Generating QNaNs_ 


Operation ton 


Real operation on an SNaN and a QNaN. | Deliver the QNaN operand. ~ 


Real operation on two SNaNs. . Deliver the QNaN that results from converting 
| the SNaN that has the larger significand. 


Real operation on two QNaNs. | Deliver the QNaN that has the larger 

Ro | : significand. 
Real operation on an SNaN and another Deliver the QNaN that results from converting 
number. | the SNaN. 


Real operation on aQNaN and another —=—sS*+dtys_CDeeliver the QNaN. 
number. 


Invalid operation that does not involve NaNs. Deliver the default QNaN real indefinite. 


In embedded applications which use computed results in further computations, an unde- 
tected QNaN can invalidate all subsequent results. Such applications should therefore 
periodically check for QNaNs and provide a recovery mechanism to be used if a ane 
result is detected. ei : | 


16.1.5 Indefinite 


For each numeric data type, one unique encoding is reserved for representing the special 
value indefinite. The Intel486 processor produces this encoding as its response to a 
masked invalid-operation exception. 


In the case of reals, the indefinite value is a QNaN as discussed in the prior section. 


Packed decimal indefinite may be stored with a FBSTP instruction; attempting to use this 
encoding in a FBLD instruction, however, will have an undefined result; thus indefinite 
cannot be loaded from a 2 packed decimal integer. , 


In the binary integers, the same encoding may represent either indefinite or the largest 
negative number supported by the format (—2’°, —2°', or —2°°). The Intel486 processor 
will store this encoding as its masked response to an invalid operation, or when the value 
in a source register represents or rounds to the largest negative integer representable by 
the destination. In situations where its origin may be ambiguous, the invalid-operation 
exception flag can be examined to. see if the value was produced by an exception 
response. When this encoding is loaded or used by an integer arithmetic or compare 
operation, it is always pecs as a neeatve number; ae indefinite cannot be loaded 
from a binary integer. teal | Vs | | 
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16.1.6 Encoding of Data Types 


Tables 16-6 through 16-9 show how each of the special values just described is encoded - 
for each of the numeric data types. In these tables, the least-significant bits are shown to 
the right and are stored in the lowest memory addresses. The sign bit is always the 
left-most bit of the highest-addressed byte. 


16.1.7 Unsupported Formats 


The extended format permits many bit patterns that do not fall into any of the previously 
mentioned categories. Table 16-10 shows these unsupported formats. Some of these 
encodings were supported by the Intel287 math coprocessor; however, most of them are 
not supported by the Intel387 and Intel486 FPUs. These changes are required due to 
changes made in the final version of IEEE Std 754 that eliminated these data types. 


The categories of encodings formerly known as pseudo-NaNs, pseudoinfinities, and 
unnormal numbers are not supported. The Intel486 processor raises the invalid- 
operation exception when they are encountered as operands. 


The encodings formerly known as pseudodenormal numbers are not generated by the 
Intel486 processor; however, they are correctly utilized when encountered as operands. 
The exponent is treated as if it were 00..01 and the mantissa is Geter: The denor- 
mal exception is raised. 
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Table 16-6. Binary Integer Encodings. 


(Largest) 7 


~ Positives 


(Smallest) 


(Smallest) 


Negatives | 


(Largest/Indefinite*) 


15 bits > 
: 31 bits 
Long: 63 bits 


*If this encoding is used as a source operand (as in an integer load or integer arithmetic instruction), the 
FPU interprets it as the largest negative number representable in the format... —2'®, —2°', or —2°°. The 
FPU delivers this encoding to an integer destination in two cases: 


1. If the result is the largest negative number. . 
2. As the response to a masked invalid operation exception, in which case it represents the special value 
integer indefinite. 
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Table 16-7. Packed Decimal Encodings 


Magnitude 


(Largest) 0000000 |} 1001 1001 #441001 1001 
(Smallest) 0000000 |} 0000 0000 0000 + #40000 


Class 


1 é 


Zero 


0000000 | 0000 0000 0000 0000 oe 0000 


Zero 1 0000000 |} 0000 0000 0000 0000 sir 0000 


(Smallest) 0000000 | 0000 0000 0000 0000 


(Largest) 0000000 | 1001 1001 1001 1001 pied 1001 


indefinite* ee 1111 #4111 UUUU** UUUU... UUUU 


— 1 byte — | — 9 bytes — 


*The packed decimal indefinite is stored by FBSTP in response to a masked invalid operation exception. 
Attempting to load this value via FBLD produces an undefined result. 7 
**UUUU means bit values are undefined and may contain any value. 
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Table 16-8. Single and Double Real Encodings 


Biased Significand 
' Exponent [| ff-ff* 


Positives 


Normals 


Zero coe 
Denormals 


Negatives 


Signaling 


Indefinite 


Single: — 8 bits — — 23 bits — 
Double: — 11 bits — — 52 bits — 


*Integer bit is implied and not stored. 
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Table 16-9. Extended Real Encodings 


Class Biased Significand 
| | Exponent |.ff-ff 


Signaling 


Infinity [ee ae on 1 00..00 


Normals 


Positives 


Denormals 


Pseudodenormals 


Normals 


Negatives 


— 15bits—- — — 64 bits — 
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Table 16-10. Unsupported Formats 


_ Biased Significand 
_ Exponent f.ff--ff 


Signaling 


_ Pseudoinfinity _ a 


Unnormals 


Positives 


Unnormals j 
. Pseudoinfinity | 


Signaling 


Negatives 


— 15 bits — — 64 bits — 


16.2 NUMERIC EXCEPTIONS 
The Intel486 processor ¢ can recognize six classes of numeric exception conditions while 
executing numeric instructions: 


1. I— Invalid operation | 
e Stack fault | 
e IEEE standard invalid operation 


Z— Dyivide-by-zero 
D— Denormalized operand 
OF een overflow 


U_ ince underflow 


Dn A BR WON 


P— Inexact result (precision) 
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16.2.1 Handling Numeric Exceptions 


When numeric exceptions occur, the Intel486 processor takes one of two possible 
courses of action: 


e The FPU can itself handle the exception, producing the most reasonable result and 
allowing numeric program execution to continue undisturbed. 


e A software exception handler can be invoked to handle the exception. 


Each of the six exception conditions described above has a corresponding flag bit in the 
FPU status word and a mask bit in the FPU control word. If an exception is masked (the 
corresponding mask bit in the control word = 1), the Intel486 processor takes an appro- 
priate default action and continues with the computation. If the exception is unmasked 
(mask = 0), a software exception handler is invoked immediately before execution of the 
next WAIT or non-control floating-point instruction. Depending on the value of the NE 
bit of the CRO control register, the exception handler is invoked either (NE = 1) 
through interrupt vector 16 or (NE = 0) through an external interrupt. 


Note that when exceptions are masked, the FPU may detect multiple exceptions in a 
single instruction, because it continues executing the instruction after performing its 
masked response. For example, the FPU could detect a denormalized operand, perform 
its masked response to this exception, and then detect an underflow. © 


16.2.1.1 AUTOMATIC EXCEPTION HANDLING 


The Intel486 processor has a default fix-up activity for every possible exception condition 
it may encounter. These masked-exception responses are designed to be safe and are 
generally acceptable for most numeric applications. : 


As an example of how even severe. exceptions can be handled safely and automatically 
using the default exception responses, consider a calculation of the parallel resistance of 
several values using only the standard formula (Figure 16-3). If R1 becomes zero, the 
circuit resistance becomes zero. With the divide-by-zero and precision exceptions 
masked, the Intel486 processor will produce the correct result. 


By masking or unmasking specific numeric exceptions in the FPU control word, pro- 
grammers can delegate responsibility for most exceptions to the Intel486 processor, 
reserving the most severe exceptions for programmed exception handlers. Exception- 
handling software is often difficult to write, and the masked responses have been tai- 
lored to deliver the most reasonable result for each condition. For the majority of 
applications, masking all exceptions yields satisfactory results with the least program- 
ming effort. Certain exceptions can usefully be left unmasked during the debugging 
phase of software development, and then masked when the clean software is actually 
run. An invalid-operation exception for example, typically indicates a pioprant error r that a 
must be corrected. | 


The exception flags in the FPU status word provide a cumulative record of exceptions 


that have occurred since these flags were last cleared. Once set, these flags can be 
cleared only by executing the FCLEX (clear exceptions) instruction, by reinitializing the 
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EQUIVALENT RESISTANCE = 


240486i16-3 


Figure 16-3. Arithmetic Example Using Infinity 


FPU, or by overwriting the flags with an FRSTOR or FLDENV instruction. This allows 
a programmer to mask all exceptions, run a calculation, and then inspect the status word 
to see if any exceptions were detected at any point in the calculation. 


16.2.1.2 SOFTWARE EXCEPTION HANDLING 


If the FPU encounters an unmasked exception condition, a software exception handler is 
invoked immediately before execution of the next WAIT or non-control floating-point 
instruction. The exception handler is invoked either through interrupt vector 16 or 
through an external interrupt, depending 01 on the value oe the NE bit of the CRO control 
register. | 


If NE = 1, an unmasked floating-point exception results in interrupt 16, immediately 
before the execution of the next non-control floating-point or WAIT instruction. Inter- 
rupt 16 is an operating-system call that invokes the exception handler. Chapter 9 con- 
tains a general discussion of exceptions and interrupts on the Intel486 processor. 


If NE = 0 (and the IGNNE# input is inactive), an unmasked floating-point exception 
causes the processor to freeze immediately before executing the next non-control 
floating-point or WAIT instruction. The frozen processor waits for an external interrupt, 
which must be supplied by external hardware in response to the FERR# output of the 
_ processor. (Regardless of the value of NE, an unmasked numerical exception causes the 
FERR# output to be activated.) In this case, the external interrupt invokes. the 
exception-handling routine. If NE =0 but the IGNNE# input is active, the processor 
disregards the exception and continues. Error reporting via external interrupt is sup- 
ported for DOS compatibility. oe 25 contains eoEnee discussion o is ee 
issues. : 2 
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The exception-handling routine is normally a part of the systems software. Typical 
exception responses may include: _ 


e Incrementing an exception counter for later display or printing 


e Printing or displaying diagnostic information (e.g., the FPU environment and 
registers) 


e Aborting further execution, or using the exception pointers to build an instruction 
that will run without exception and executing it 


Applications programmers should consult their operating system’s reference manuals for 
the appropriate system response to numerical exceptions. For systems programmers, 
some details on writing software exception handlers are provided in Chapter 19. 


16.2.2 Invalid Operation 


This exception may occur in response to two general classes of operations: 
_1. Stack operations 
2. Arithmetic operations 
The stack flag (SF) of the status word indicates which class of operation caused the 


exception. When SF is I a stack operation has resulted in stack overflow or underflow; 
when SF is 0, an arithmetic instruction has encountered an invalid operand. 


16.2.2.1 STACK EXCEPTION 


When SF is 1, indicating a stack apemton: the O/U# bit of the condition code (bit Cl) 
distinguishes between stack overflow and underflow as follows: 


O/U# = 1 Stack overflow—an instruction attempted to push down a nonempty stack 
location. | 


0 Stack underflow—an instruction attempted to read an operand from an 
empty stack location. — 


O/U# 


When the invalid-operation exception is masked, the FPU returns the QNaN indefinite. 
This value overwrites the destination register, destroying its original contents. 


When the invalid-operation exception is not masked, an exception handler is invoked. 
TOP is not changed, and the source operands remain unaffected. 
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This class includes the invalid operations defined in IEEE Std 854. The FPU reports an 
invalid operation in any of the cases shown in Table 16-11. Also shown in this table are 
the FPU’s responses when the invalid exception is masked. When unmasked, an excep- 
tion handler is invoked, and the operands remain unaltered. An invalid operation gen- 
erally indicates a program error. 


16.2.3 Division by Zero 


If an instruction attempts to divide'a finite nonzero operand by zero, the FPU will report 
a zero-divide exception. This is possible for F(I)DIV(R)(P) as well as the other instruc- 
tions that perform division internally: FYL2X and FXTRACT. The masked response for 
FDIV is to return an infinity signed with the exclusive OR of the sign of the operand. 


Table 16-11. Masked Responses to Invalid eperatons 


Any arithmetic operation on an unsupported Return the QNaN indefinite. 
format. 


Return a QNaN (refer to the section “Rules for 
Generating QNaNs’”’). 


Any arithmetic operation on a signaling NaN. 


‘Compare and test operations: one or both oper- | Set condition codes “not comparable.” —_ 
ands is a NaN. — _ | bee ae 8 | | 
Addition of opposite- signed infinities or aeunae: Return the QNaN indefinite. 

tion of like-signed infinities. | 


Multiplication: % x 0; or 0 x ~, Return theQNaN indefinite. ~ 


Division: © + «; or O + 0. 
Remainder instructions FPREM, FPREM1 when 
modulus (divisor) is zero or dividend is ~, -. 


Trigonometric instructions FCOS, FPTAN, FSIN, 
FSINCOS when argument is . | 


FSQRT of negative operand (except FSQRT (—0) 
= —0Q), FYL2X of negative operand (except 
FYL2X (—0) = —~), FYL2XP1 of operand more 
negative than —1. 


FIST(P) instructions when source register is 
empty, a NaN, ~, or exceeds representable 
range of destination. 


FBSTP instruction when source register is .. | 
empty, a NaN, ~, or exceeds 18 decimal digits. 


FXCH instruction when one or both registers are 
tagged empty. 


Return the QNaN indefinite. 
Return ue QNaN indefinite; set tee = 0. 


Return theQNaN indefinite; set C, = 0. 


Return the QNaN indefinite. . 


Store integer indefinite. 


Store. packed decimal indefinite. | 


Change empty registers to the QNaN indefinite 
and then perform exchange. - 
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FYL2X returns an infinity signed with the opposite sign of the non-zero operand. For 
FXTRACT, ST(1) is set to —%; ST is set to zero with the same sign as the original 
operand. If the divide-by-zero exception is unmasked, an exception handler is invoked; 
the operands remain unaltered. 


16.2.4 Denormal Operand 


If an arithmetic instruction attempts to operate on a denormal operand, the FPU reports 
the denormal-operand exception. Denormal operands may have reduced significance 
due to lost low-order bits, therefore it may be advisable in certain applications to pre- 
clude operations on these operands. This can be accomplished by an exception handler 
that responds to unmasked denormal exceptions. Most users will mask this exception so 
that computation may proceed; any loss of accuracy will be analyzed by the user when 
the final result is delivered. 


When this exception is masked, the FPU sets the D-bit in the status word, then proceeds 
with the instruction. Gradual underflow and denormal numbers as handled on the 
Intel486 processor will produce results at least as good as, and often better than what 
could be obtained from a machine that flushes underflows to zero. In fact, a denormal 
operand in single- or double-precision format will be normalized to the extended-real 
format when loaded into the FPU. Subsequent operations will benefit from the addi- 
tional precision of the extended-real format used internally. 


When this exception is not masked, the D-bit is set and the exception handler is invoked. 
The operands are not changed by the instruction and are available for inspection by the 
exception handler. 


The Intel486 FPU and Intel387 math coprocessors handle denormal values differently 
than the 8087 and Intel287 math coprocessors. This change is due to revisions in the 
IEEE standard before being approved. The difference in operation occurs when the 
denormal exception is masked. The Intel486 FPU and Intel387 math coprocessors will 
automatically normalize denormals. The 8087 and Intel287 math Popborcsso1s will gen- 
erate a denormal result. | 


The difference in denormal handling is usually not an issue. The denormal exception is 
normally masked for the Intel387 and Intel486 FPUs. For programs that also run on an 
Intel287 math coprocessor, the denormal exception is often unmasked and an exception 
handler is provided to normalize any denormal values. Such an exception handler is 
redundant for the Intel486 and Intel387 DX FPUs. The default exception handler 
_ Should be used. 


A program can detect at run-time whether it is running on an Intel387 or Intel486 FPU 
or the older 8087/Intel287 math coprocessors. The code sequence in Figure 16-4 is rec- 
ommended to recognize 8087/Intel287 math coprocessors. Refer to Figure 3-23 to iden- 
tify an Intel387 or Intel486 CPU. The example in Figure 16-4 can be used to selectively 
mask the denormal exception for an Intel387 DX or Intel486 FPU. A denormal excep- 
tion handler should also be provided to support 8087/Intel287 math coprocessors. This 
code example can also be used to set a flag to allow use of new instructions added to the 
Intel387 and Intel486 FPUs beyond the instructions of the 8087/Intel287 math 
coprocessors. 
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; Use default infinity mode: 
; projective for 6@4?/Intel24? math coprocessors, 
| 7 affine for Intel3a7 DX and Intel4éb FPU 
FLDL ; Generate infinity — 
FLDZ _— | | 
FDIV. | | 
FLD 3 Form negative infinity — 


FCHS 
FCOMPP ; Compare tinfinity with -infinity 
| FSTSW temp 5 8087/Intelea? math coprocessors will say they are equal 
MOV AX, temp — , _ 
OSAHFO 
JZ =. Using.8@8? 


Figure 16-4. Coprocessor Detection Code 
16.2.5 Numeric Overflow and Underflow _ 


If the exponent of a numeric result is too large for the destination real format, the FPU 
signals a numeric-overflow. Conversely, if the exponent of a result is too small to be 
represented in the destination format, a numeric underflow is signaled. If either of these 
exceptions occur, the Tesult of the operation is outside the range of the destination real 
format. 


Typical algorithms are most likely to produce extremely large and small numbers in the 
calculation of intermediate, rather than final, results. Because of the great range of the 
extended-precision format, overflow and underflow are relatively rare events in most 
numerical pap aaens for the Intel486 processor. 


16. 2.5. 1 OVERFLOW 


The Aeaion eveoptionte can occur sqleneves the rounded true result would: eucced! in 
magnitude the largest finite number in the destination format. The exception can occur 
in the execution of most of the arithmetic instructions and ‘in some of the conversion 
instructions; namely, FST(P), FU)ADD(P), F(I)SUB(R)(P), FU)MUL(P), EDIV (RIE): 
FSCALE, FYL2X, and FYL2XP1. | 
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The response to an overflow condition depends on whether the overflow exception is 
masked: | 


e Overflow exception masked. The value returned depends on the rounding mode as 
Table 16-12 illustrates. 


e Overflow exception not masked. The unmasked response depends on whether the 
instruction is supposed to store the result on the stack or in memory: 


— If the destination is the stack, then true result is divided by 27*°’° and rounded. 
(The bias 24,576 is equal to 3 x 2'°.) The significand is rounded to the appro- 
priate precision (according to the precision control (PC) bit of the control word, 
for those instructions controlled by PC, otherwise to extended precision). The 
roundup bit (C1) of the status word is set if the significand was rounded upward. 


The biasing of the exponent by 24,576 normally translates the number as nearly 
as possible to the middle of the exponent range so that, if desired, it can be used 
in subsequent scaled operations with less risk of causing further exceptions. With 
the instruction FSCALE, however, it can happen that the result is too large and 
overflows even after biasing. In this case, the unmasked response is exactly the 
same as the masked round-to-nearest response, namely +. infinity. The intention 
of this feature is to ensure the trap handler will discover that.a translation of the 
exponent by —24574 would not work correctly without: obliging the programmer 
of Decimal-to-Binary or Exponential functions to determine which trap handler, 
if any, should be invoked. —— : 


— If the destination is memory (this can occur only with the store instructions), 
then no result is stored in memory. Instead, the operand is left intact in the 
stack. Because the data in the stack is in extended-precision format, the excep- 
tion handler has the option either of reexecuting the store instruction after 
proper adjustment of the operand or of rounding the significand on the stack to 
the destination’s precision as the standard requires. The exception handler 
should ultimately store a value into the destination location in memory if the 
program is to continue. | : | 


Table 16-12. Masked Overflow Results ee, 
Rounding Sign of 
Mode True Result , 
| 
‘ _ —co ‘ 7 
+ : : 


— 


~ Toward + | bee | | 
, 7 ' Largest finite negative number 
Toward zero Largest finite positive number 
| Largest finite negative number 
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16.2.5.2 UNDERFLOW 


Underflow can occur in the execution of the instructions FST(P), FADD(P), 
FSUB(RP), FMUL(P), F(I)DIV(RP), FSCALE, FPREM(1), FPTAN, FSIN, FCOS, 
FSINCOS, FPATAN, F2XM1, FYL2X, and FYL2XP1. | 


Two related events contribute to underflow: _ 


1. Creation of a tiny result which, because it is so ori may cause some mee excep- 
tion later (such as overflow upon division). 


2. Creation of an inexact result; i.e. the delivered result differs from what would have 
‘been computed were both the oe range and precision unbounded. 


Which of these events triggers. ue underflow ei dees depends on whether the under- 
flow exception is masked: | ioe 


1. Underflow exception masked. The underflow exception is signaled when the result is 
both tiny and inexact. — , 


2. Underflow exception not: wae The underflow exception iS sionaled when the 
oe is tiny, peels of inexactness. 


The response to an underflow exception also depends on 1 whether the exception is 
masked: 


1. Masked pe pone, The result i iS denormal or zero. The precision exception is also 
triggered. 


2, Uniuskeds response. The unmasked response ache ade on sneer the instruction is 
supposed to store the result on the stack or in memory: 7 


e If the destination is the stack, then the true result is multiplied by 2. ane and 
rounded. (The bias 24,576 is equal (032, ) The significand is rounded to the 
appropriate precision (according to the precision control (PC) bit of the control 
word, for those instructions controlled by PC, otherwise to extended precision). 
The roundup bit (C,) of the status word is set if the significand was rounded 
upward. 


The biasing of the exponent by 24,576 normally translates the number. as nearly 
as possible to the middle of the exponent range so that, if desired, it can be used 
in subsequent scaled operations with less risk of causing further exceptions. With 
the instruction FSCALE, however, it can happen that the result is too tiny and 

- underflows even after biasing. In this case, the unmasked response is exactly the 
same as the masked round-to-nearest response, namely +0. The intention of this 
feature is to ensure the trap handler will discover that a translation by +24576 
would not work correctly without obliging the programmer of Decimal-to-Binary 
or Exponential functions to Geren which trap handler, if any, should be 
invoked. 


e Ifthe destination i is memory (this can occur only with the store instructions), then 
no result is stored in memory. Instead, the operand is left intact in the stack. 
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Because the data in the stack is in extended-precision format, the exception han- 

dier has the option either of reexecuting the store instruction after proper adjust- 

ment of the operand or of rounding the significand on the stack to the 

destination’s precision as the standard requires. The exception handler should 

ultimately store a value into the destination location in memory if the program is 
~ to continue. 


16.2.6 Inexact (Precision) 


This exception condition occurs if the result of an operation is not exactly representable 
in the destination format. For example, the fraction 1/3 cannot be precisely represented 
in binary form. This exception occurs frequently ane indicates that some (generally 
acceptable) accuracy has been lost. | 


By their. nature, the transcendental instructions typically cause the inexact exception. 


The C1 (roundup) bit. of the status word indicates whether the inexact result was 
rounded up (C1:= 1) or chopped (C1 = 0). | . 


The inexact exception accompanies the sneeeiog eseotion when there Is nee a loss of 
accuracy. When underflow is masked, the underflow exception is signaled only when 
there is a loss of accuracy; therefore the precision flag is always set as well. When 
underflow is unmasked, there may or may not have been a loss of accuracy; the precision 
bit indicates which is the case. 


This exception is provided for applications that need to perform exact arithmetic only. 
Most applications will mask this exception. The FPU delivers the rounded or over/ 
underflowed result to the destination, regardless of whether a trap occurs. 


16.2.7 Exception Priority 


The Intel486 processor deals with exceptions according to a predetermined precedence. 
Precedence in exception handling means that higher-priority exceptions are flagged and 
results are delivered according to the requirements of that exception. Lower-priority 
exceptions may not be flagged even if they occur. For example, dividing an SNaN by zero 
causes an invalid-operand exception (due to the SNaN) and not a zero-divide exception; 
the masked result is the QNaN real indefinite, not ». A denormal or inexact (precision) 
exception, however, can accompany a numeric underflow or overflow exception. 


The precedence among numeric exceptions is as follows: 
1. Invalid operation exception, subdivided as follows: 
a. Stack underflow. | 
b. Stack overflow. 
c. Operand of unsupported format. 
d. SNaN operand. 
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2. QNaN operand. Though this is not an exception, if one operand is a QNaN, dealing 
with it has precedence over lower-priority exceptions. For example, a QNaN divided 
by zero results in a QNaN, not a zero-divide exception. 


3. Any other invalid- -operation exception not mentioned above or zero divide. 


4. Denormal operand. If masked, then instruction execution continues, and a lower- 
priority exception can occur as well. 


5. Numeric overflow and underflow. Inexact result (precision) can be flagged as wer 
6. Inexact. result neces? 


16. 2.8 Standard Underflow/Overflow Exception Handler 


As long as the underflow and overflow exceptions are masked, no additional software j iS 
required to cause the output of the Intel486 processor to conform to the requirements of 
IEEE Std 854. When unmasked, these exceptions give the exception handler an addi- 
tional option in the case of store instructions. No result is stored in memory; instead, the 
operand is left intact on the stack. The handler may round the significand of the operand 
on the stack to the destination’s precision as the standard requires, or it may adjust the 
operand and reexecute the faulting instruction. ) 
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CHAPTER 17 
_ FLOATING- POINT INSTRUCTION SET 


The floating-point instructions available on the Intel486 processor can be grouped into 
six functional classes: : 


e Data Transfer Instructions 

e Nontranscendental Instructions 
e Comparison Instructions 

e Transcendental Instructions 

eo Constant Instructions 


e Control Instructions 


In this chapter, the instruction classes are described as a collection of resources available 
to ASM386/Intel486 programmers. For details of format, encoding, and execution times, 
see the instruction reference pages in Chapter 26. 


The Intel387 math coprocessors and Intel486 FPU have more instructions than the 8087/ 
Intel287 math coprocessors. Some Intel386 DX microprocessor systems use an Intel287 
math coprocessor. See Figures 3-23 and 16-4 for examples of how to detect whether an 
8087/Intel287 math coprocessor is present to use the new instructions when available. 


17.1 SOURCE AND DESTINATION OPERANDS 


_ The typical floating-point instruction takes one or two operands, which can come from 
the FPU register stack or from memory. Many instructions, such as FSIN, automatically 
Operate on the top FPU stack element. Others allow, or require, the programmer to 
code the operand(s) explicitly along with the instruction mnemonic. Still others accept 
one explicit operand ang one implicit operand (usually the top FPU stack element). 


Whether specified by the programmer or supplied by default, aosine: point operands 
are of two basic types, sources and destinations. A source operand provides an input to an 
instruction, but is not altered by its execution. Even when an instruction converts the 
source operand from one format to another (e.g., real to integer), the conversion is 
performed in an internal ‘work area to avoid altering the source operand. A destination 
operand may also provide an input to an instruction; on execution, however, the instruc- 
tion returns a result to the destination, overwriting its previous contents. 


Many instructions allow their operands to be coded in more than one way. For example, 
_ FADD (add real) may be written without operands, with only a source, or with a desti- 
nation and a source. When both destination and source operands are specified, the 
destination must precede the source on the command line, and both must come from the 
FPU stack. 
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Memory operands can be coded with any of the memory-addressing methods provided 
by the ModR/M byte. To review these methods (BASE = (INDEX X SCALE) + 
DISPLACEMENT), refer to Chapter 2; Floating- point instructions with memory oper- 
ands either read from memory or write to it; no floating-point instruction does both.For 
a detailed description of each instruction, including its range of possible eneoUines, see 
the reference pages in Chapter 26. , . 


17.2 DATA TRANSFER INSTRUCTIONS 


_ These instructions (summarized in Table 17-1) move operands among elements of the 
register stack, and between the stack top and memory. Any of the seven data types can 
be converted to extended-real and loaded (pushed) onto the stack in a single operation; 
they can be stored to memory in the same manner. The data transfer instructions auto- 
matically update the FPU tag word to reflect. WHEENCE the ce is Sep: or emus fol- 
lowing the instruction. | | 


17.3 NONTRANSCENDENTAL INSTRUCTIONS | 


The nontranscendental instruction set provides a wealth of variations on the basic add, 
subtract, multiply, and divide operations, and a number of other useful functions. These 
range from a simple absolute value instruction to-instructions which perform exact mod- 
ulo division, round real numbers to integers, and scale values by powers of two. 
Table 17-2 shows the nontranscendental eperanons Bes apae from basic 
arithmetic. od, Ate =. : | 


The basic arithmetic instructions (addition, subtraction, multiplication and division) are 
designed to encourage the development of very efficient algorithms. In particular, they 
allow the programmer to reference. memory as easily as the FPU register stack. 
Table 17-3 summarizes the available operation/operand forms that are provided for basic 
arithmetic. In addition to the four normal operations, there are * ‘reversed”’ subtraction 


Table 17-1. Data Transfer Instructions : 
| Integer ~ : Packed Decimal 
Load Real ‘Load Integer FBLD Load Packed Decimal 


StoreReal ~ = —- J Store Integer 


Store Real and Pop : Store Integer and ~ FBSTP Load Packed Decimal 
| aS ge eS Ip ee Pee. a vege ‘| and Pop Oo 


‘Exchange registers | 
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Table 17-2. Nontranscendental Instructions (Besides Basic Arithmetic) 


a 


FSQRT Square Root 
FSCALE Scale : 
FXTRACT Extract Exponent and Significand 


FPREM Partial Remainder 

FPREM1* IEEE Standard Partial Remainder 
FRNDINT | Round to Integer 

FABS ' Absolute Value 

FCHS Change Sign 


*Not available on 8087/Intel287™ math coprocessor. — 


Table 17-3. Basic Arithmetic Instructions and Operands 


| ; _ Mnemonic | Operand Forms: | 
Instruction Form . . Be ne eat Was oe 
| | | Form | Destination, Source 


Classical Stack = : {ST(1), ST} 

Classical Stack, extra pop {ST(1), ST} : 

Register 7 ST(i), ST or ST, ST(i) 

Register, pop ST(i), ST 

Real Memory {ST} single-real/double-real 

Integer Memory | {ST} word-integer/short-integer 
NOTES: | 
Braces ({ }) surround implicit operands; these are not coded, but are supplied as the assembler. -. 


op= ADD - DEST < DEST + SRC 7 
| SUB DEST < ST — Other Operand . 
SUBR DEST < Other Operand — ST 
MUL DEST < DEST x SRC 
DIV DEST < DEST + SRC 
DIVR DEST < SRC + DEST. 


and division instructions which eliminate the need for many exchanges between ST(0) 
and ST(1). The variety of instruction and operand forms give the programmer unusual 
flexibility: 


e Operands can be located in registers or memory. 
-e Results can be deposited in a choice of registers. 


e Operands can be a variety of numerical data types: extended real, double real, single 
real, short integer or word integer, with automatic conversion to extended real per- 
formed by the FPU. 


Five basic instruction forms can be used across all six operations, as shown in Table 17-3. 
The classical stack form can be used to make the FPU operate like a classical stack 
machine. No operands are coded in this form, only the instruction mnemonic. The FPU 
picks the source operand from the stack top (ST) and the destination from the next stack 
element (ST(1)). After performing its calculation, it returns the result to ST(1) and then 
pops ST, eneetve’) replacing the operands by the result. . = . 
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The register form is a generalization of the classical stack form; the programmer speci- 
fies the stack top as one operand and any register on the stack as the other operand. 
Coding the stack top as the destination provides a convenient way to access a constant, . 
held elsewhere in the stack, from the top stack. The destination need not always be ST, 
however. The basic two-operand instructions allow the use of another register as the 
destination. Using ST as the source allows, for example, adding the stack top into a 
register used as an accumulator. (ok 


Often the operand in the stack top is needed for one operation but then is of no further 
use in the computation. The register pop form can be used to pick up the stack top as 
the source operand, and then discard it by popping the stack. Coding operands of ST(1), 
ST with a register pop mnemonic is equivalent to a classical stack operation: the top is 
popped and the result is left at the new top. | 


The two memory forms increase the flexibility of the nontranscendental instructions. 
They permit a real number or a binary integer in memory to be used directly as a source 
operand. This is useful in situations where operands are not used frequently enough to 
justify holding them in registers. Note that any memory-addressing method can be used 
to define these operands, so they can be elements in arrays, structures, or other a 3 
organizations, as well as simple scalars. 


17.4 COMPARISON INSTRUCTIONS 


The instructions of this class allow numbers of all supported real and integer data types 
to be compared. Each of these instructions (Table 17-4) analyzes the top stack element, 
often in relationship to another operand, and Teports the result as a condition code 
(flags CO, C2, and C3) in the status word. 


The basic operations are compare, test (compare with zero), and examine (report type, 
sign, and normalization). Special forms of the compare operation are provided to opti- 
mize algorithms by allowing direct comparisons with binary integers and real numbers in 
memory, as well as popping the stack after a comparison. | 


Table 17-4, Comparison instructions _ 


LL mmemonic | Operation 


FCOM | Compare Real 

FCOMP Compare Real and Pop 
FCOMPP | Compare Real and Pop Twice © 
FICOM Compare Integer 


FICOMP Compare Integer and Pop 

FIST | | _ Test 
FUCOM* | _ Unordered Compare Real 
-FUCOMP* _. Unordered Compare Realand Pop 
FUCOMPP* — Unordered Compare Real and Pop Twice . 
FXAM Examine 


*Not available on 8087/Intel287™ math coprocessor. 
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The FSTSW AX (store status word) instruction can be used after a comparison to trans- 
fer the condition code to the AX register for inspection. The TEST instruction is recom- 
mended for using the FPU flags (once they are in the AX register) to control conditional © 
branching. First check to see if the comparison resulted in unordered. This can happen, 
for instance, if one of the operands is a NaN. TEST the contents of the AX register 
against the constant 0400H; this will clear ZF (the Zero Flag of the EFLAGS register) if 
the original comparison was unordered, and set ZF otherwise. The JNZ instruction can 
now be used to transfer control (if necessary) to code which handles the case of unor- 
dered operands. With the unordered case now filtered out, TEST the contents of the 
AX register against the appropriate constant from Table 17-5, and then use the corre- 
sponding conditional branch. 


It is not always necessary to filter out the unordered case when using this algorithm for 
conditional jumps. If the software has been thoroughly tested, and incorporates periodic 
checks for QNaN results (as recommended in Chapter 16), then it is not necessary to 
check for unordered every time a comparison is made. | | 


Instructions other than those in the comparison group can update the condition code. To 
ensure that the status word is not altered inadvertently, store it acess, sorowaes a 
comparison operation. 


17.5 TRANSCENDENTAL INSTRUCTIONS 


The instructions in this group (Table 17-6) perform the time-consuming core calcula- 
tions for all common trigonometric, inverse trigonometric, hyperbolic, inverse hyper- 
bolic, logarithmic, and exponential functions. The transcendentals operate on the top 
one or two stack elements, and they return their results to the stack. The trigonometric 
Operations assume their arguments are expressed in radians. The logarithmic and expo- 
nential Sperauions. work in base 2. 


The results of transcendental instructions are highly accurate. The absolute value of the 
relative error of the transcendental instructions is guaranteed to be less than oi (Rel- 
ative error is the ratio between the absolute error and the exact value. ) 


The trigonometric functions accept a practically unrestricted range of operands, whereas 
the other transcendental instructions require that arguments be more restricted in range. 
FPREM or FPREM1 can be used to bring the otherwise valid operand of a periodic 
function into range. Prologue and epilogue software can be used to reduce arguments 


Table 17-5. TEST Constants for Conditional Branching 


a 


ST > Operand 


ST < Operand 
ST = Operand 
Unordered 
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Table 17-6. Transcendental Instructions 
Operation 


FSIN*® - Sine 

FCOS* 7 Cosine 
FSINCOS* Sine and Cosine. 
FPTAN** . ; Tangent — 


FPATAN | Arctangent of ST(1) + ST 

F2XM1** 2X — 1: X is in ST 

FYL2X | | Y x logoX; Y is in ST(1), Xis in ST 
-FYL2XP1 ~ Y x logs(X + 1); Y is in ST(1), X is in ST 


*Not available on 8087/Intel287™ math coprocessor. 
**Operand range extended over 8087/Intel287 math coprocessor. 


for other instructions to the expected range and to adjust the result to correspond to the 
original arguments if necessary. The instruction descriptions in the reference pages of 
Chapter 26 document the allowed operand range for each instruction. 


When the argument of a trigonometric function is in range, it is automatically reduced 
by the appropriate multiple of 27 (in 66-bit precision), by means of the same mechanism 
used in the FPREM and FPREM1 instructions. The value of a used in the automatic 
reduction has been chosen so as to guarantee no loss of significance in the operand, | 
provided it is within the specified range. The internal value of 7 is: 


4* 0. CIOFDAA2 2168C234 C H. 


A program may u use an ecalict value for 7 in computations whose results later appear as 
arguments to trigonometric functions. In such a case (in explicit reduction of a trigono- 
metric operand outside the specified range, for example), the value used for 7 should be 
the same as the full 66-bit internal 1. This will insure that the results are consistent with 
the automatic argument reduction performed by the trigonometric functions. The 66-bit 
_ am cannot be represented as an extended-real value, so it must be encoded as two or more 
numbers. A common solution is to represent 7 as the sum of a hight which contains the 
33 most-significant bits and a lowm which contains the 33 least-significant bits. When 
using this two-part 7, all computations should be performed separately on each part, 
with the results added only at the end. 


The complications of maintaining a consistent value of m for argument reduction can be 
avoided, either by applying the trigonometric functions only to arguments within the 
range of the automatic reduction mechanism, or by performing all argument reductions 
(down to a magnitude less than 1/4) explicitly in software. 


17.6 CONSTANT INSTRUCTIONS 


Each of these instructions (Table 17-7) pushes a commonly used constant onto the stack. 
(ST(7) must be empty to avoid an invalid exception.) The values have full extended real 
precision (64 bits) and are accurate to approximately 19 decimal digits. Because an 
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Table 17-7. Constant Instructions 


a 


FLDZ Load +0.0 
FLD1 Load +1.0 


FLDPI Load 
FLDL2T Load log, 10 
FLDL2E Load log.e 
FLDLG2 Load log, 2 
FLDLN2 Load log,2 


external real constant occupies 10 memory bytes, the constant instructions, which are 
only two bytes long, save storage and improve execution speed, in addition to simplifying 
programming. 


The constants used by these instructions are stored internally in a format more precise 
than extended real. When loading the constant, the FPU rounds the more precise inter- 
nal constant according the RC (rounding control) bit of the control word. However, in 
spite of this rounding, the precision exception is not raised (to maintain compatibility). 
When the rounding control is set to round to nearest, the FPU produces the same 
constant that is produced by the 8087 and Intel287 numeric coprocessors. 


17.7 CONTROL INSTRUCTIONS 


The FPU control instructions are shown in Table 17-8. The FSTSW instruction is com- 
monly used for conditional branching. The remaining instructions are not typically used 
in calculations; they provide control over the FPU for system-level activities. These activ- © 
ities include initialization of the FPU, numeric exception handling, and task switching. 


Table 17-8. Control Instructions 


ee 


FINIT / FNINIT Initialize FPU 
FLDCW Load Control Word 

FSTCW / FNSTCW Store Control Word 

FSTSW / FNSTSW Store Status Word 

FSTSW AX / FNSTSW AX* | Store Status Word to AX Register 
FCLEX / FNCLEX : Clear Exceptions 

FSTENV / FNSTENV Store Environment 

FLDENV Load Environment 

FSAVE / FNSAVE Save State 

FRSTOR | Restore State 

FINCSTP Increment Stack-Top Pointer 
FDECSTP Decrement Stack-Top Pointer 
FFREE Free Register 
FNOP No Operation 
FWAIT | Report FPU Error 


*Not available on 8087 math coprocessor. 
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As shown in Table 17-8, certain instructions have alternative mnemonics. The instruc- 
tions which initialize the FPU, clear exceptions, or store (all or part of) the FPU envi- 
ronment come in two forms: 


e Wait—the mnemonic is prefixed only with an F, such as FSTSW. This form cheeks for 
unmasked numeric exceptions. 


@ No-wait—the mnemonic is prefixed with an FN, such as FNSTSW. This form 1 ignores 
unmasked numeric exceptions. 7 


When the control instruction is coded using the no-wait form of the mnemonic, the 
ASM386/486 assembler does not precede the ESC instruction with a WAIT instruction, 
-and the processor does not test t LOE a iHoating: pou error concen before Sou the 
control instruction. 7 


The only no-wait instructions are those shown in Table 17-8. All other floating-point | 
instructions are automatically synchronized by the processor; all operands are trans- 
ferred before the next instruction is initiated. Because of this automatic synchronization, 
non-control floating-point instructions need not be picregee by a | WAIT instruction in 
order to execute COPPECLY: | } Hee el 


EKeepien synchronization ‘lies on the WAIT instruction. Since the Integer Unit and 
the FPU operate in parallel, it is possible in the case of a floating-point exception for the ~ 
processor to disturb information vital to exception recovery before the exception-handler - 
can be invoked. Coding a WAIT or FWAIT instruction in 1 the proper a can prevent 
this. See Chapter 18 for details. 


It should also be noted that the 8087 instructions FENI and FDISI and the Intel287 
instruction FSETPM perform no function in the Intel486 processor. If these opcodes are 
detected in the instruction stream, the Intel486 processor performs no specific operation 
and no internal states are affected. Chapter 25 contain a more complete description of 
the differences between floating- point operations on the ee processor and on 8087, 
Intel287, and Intel387 Dx numeric coprocessors. | 
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CHAPTER 18 
NUMERIC APPLICATIONS 


18.1 PROGRAMMING FACILITIES 


This section describes how programmers in ASM386/486 and in a variety of higher-level 
languages can make use of the Intel486 processor’s numerics capabilities. | 


The level of detail in this section is intended to give programmers a basic understanding 
of the software tools that can be used for numeric programming, but this information 
does not document the full capabilities of these facilities. eonicle documentation is 
available with each program development product. a 


18.1.1 High-Level Languages 


A variety of Intel high-level languages are available that automatically make use of the 
numeric instruction set when appropriate. These languages include C-386/486 and 
PL/M-386/486. In addition many high-level language compilers are available from inde- 
pendent software vendors. , 


Each of these high-level languages has special numeric libraries allowing programs to 
take advantage of the capabilities of the FPU. No special programming conventions are 
necessary to make use of the oe when programming numeric applications in any of 
these languages. 


Programmers in PL/M-386/486 and ASM386/486 can also make use of many of these 
library routines by using routines contained in the Support Library. These libraries 
implement many of the functions provided by higher-level languages, including exception 
handlers, ASCII-to-floating-point conversions, and. a more complete set of transcenden- 
tal functions than that provided by the Intel486 numeric instruction set. | 


18.1.2 C Programs 


C programmers automatically cause the C compiler to generate Intel486 numeric 
instructions when they use the double and float data types. The float type corresponds to 
the single real format; the double type corresponds to the double real format. The state- 
ment #include (math. h) causes mathematical functions such as sin and sqrt to return 
values of type double. Figure 18-1 illustrates the ease with ee C programs can Se 
use of the Intel486 processor’s numerics capabilities. | —_ : 
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* 


SAMPLE C PROGRAM tS we oy 
. * 


HHH IKI IKIKIK III EREE EEE ER ERE REE 


-7** Include /usr/include/stdio.h. if necessary **/ —_ 
/** Include math declarations for transcendenatals and others **/ 


#include </usr/include/math.h> 
#define PI.3.141 5926535897943 . 


| maine)? 


double sin_result, cos_result;. | 
double angle_deg = 0.0, angle_rad; 
int i, no_of_trial = 4; 


for( i = 1; i <= no_of_trial; i++)€ 

angle_rad = angle_deg * PI / 180.0; 

sin_result = sin (angle_rad); 

cos result = cos (angle_rad); 

printf("sine of %f degrees equals %f\n", angle_deg, sin_result); | 

printf ("cosine of “%f degrees equals 4f\n\n", angle_deg, cos_result);_ 
angle_deg = angle_deg + 30.0; — . | 
/ 4 i a 
| hugs 9 oad 
> 
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Figure 18-1. Sample C-386/486 Program 
18.1.3 PL/M-386/486 


Programmers in PL/M-386/486 can access a very useful subset of the Intel486 processor’s 
numeric capabilities. The PL/M-386/486 REAL data type corresponds to the single real 
(32-bit) format. This data type provides a range of about 8:43 x 107°’ < | X | s 3.38 x 
10°8, with about seven significant decimal digits. This representation is adequate for the 
data manipulated by many microcomputer applications. 


The utility of the REAL data type is extended by the PL/M-386/486 compiler’s practice 
of holding intermediate results in the extended real format. This means that the full 
range and precision of the processor are utilized for intermediate results. Underflow, 
overflow, and rounding exceptions are most likely to occur during intermediate compu- 
tations rather than during calculation of an expression’s final result. Holding intermedi- 
ate results in extended-precision real format greatly reduces the likelihood of overflow 
and underflow and eliminates roundoff as a serious source of error until the final assign- - 
ment of the result is performed. pee RES " NG Se aS 
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The compiler generates floating-point instructions to evaluate expressions that contain 
REAL data types, whether variables or constants or both. This means that addition, 
subtraction, multiplication, division, comparison, and assignment of REALs will be per- 
formed by the FPU. INTEGER eens) on the other hand, are evaluated by the 
Integer Unit. 


Five built-in procedures (Table 18-1) give the PL/M-386/486 programmer access to FPU 
control instructions. Prior to any arithmetic operations, a typical PL/M-386/486 program 
will set up the FPU using the INIT$SREAL$MATH$UNIT procedure and then issue 
SETS$REAL$MODE to configure the FPU. SETSREAL$MODE loads the FPU control 
word, and its 16-bit parameter has the format shown for the control word in Chapter 14. 
The recommended value of this parameter is 033EH (round to nearest, 64-bit precision, 
all exceptions masked except invalid operation). Other settings may be used at the pro- 
grammer’s discretion. 


If any exceptions are unmasked, an exception handler must be provided in the form of 
an interrupt procedure that is designated to be invoked via interrupt vector number 16. 
The exception handler can use the GET$REAL$ERROR procedure to obtain the low- - 
order byte of the FPU status word and to then clear the exception flags. The byte 
returned by GET$REALSERROR contains the exception flags; these can be examined 
to determine the source of the exception. 


The SAVESREAL$STATUS and RESTORE$REALSSTATUS procedures are pro- 
vided for multitasking environments where a running task that uses the FPU may be 
preempted by another task that also uses the FPU. It is the responsibility of the operat- 
ing system to issue SAVE$REALS$STATUS before it executes any statements that affect 
the FPU; these include the INITSREALSMATH$UNIT and SET$REAL$MODE pro- 
cedures as well as arithmetic expressions. SAVE$REAL$STATUS saves the FPU state 
(registers, status, and control words, etc.) on the memory stack. RESTORE$REAL- 
SSTATUS reloads the state information; the preempting task must invoke this proce- 
dure before terminating in order to restore the FPU to its state at the time the running 
task was preempted. This enables the preempted task to resume execution from the 
point of its preemption. . 


- Table 18-1. PL/M-386/486 Built-In Procedures 


Procedure | Sin tals ; Description : 
Instruction 


INIT$REALSMATHSUNIT FINIT Initialize FPU 
SET$REAL$MODE FLDCW Set exception masks, rounding precision, and 


infinity controls. 


GET$REAL$ERROR — FNSTSW Store, then clear, exception flags. 
& FNCLEX 


SAVE$REAL$STATUS FNSAVE _ Save FPU state. 
RESTORE$REAL$STATUS FRSTOR Restore FPU state. 
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18.1.4 ASM386/486 


The ASM386/486 assembly language arenes programmers with n complete a access to al 
of the facilities of the processor. | 


18.1.4.1 DEFINING DATA 


The ASM386/486 directives shown in Table 18-2 allocate storage for numeric variables 
and constants. As with other storage allocation directives, the assembler associates a 
_ type with any variable defined with these directives. The type value is equal to the length 
of the storage unit in bytes (10 for DT, 8 for DQ, etc.). The assembler checks the type of 
any variable coded in an instruction to be certain that it is compatible with the instruc- 
tion. For example, the coding FIADD ALPHA will be flagged as an error if ALPHA’s 
type is not 2 or 4, because integer addition is only available for word and short integer 
(doubleword) data types. The operand’s type also tells the assembler which machine 
instruction to produce; although to the programmer there is only an FIADD instruction, 
a different machine instruction is required for each operand type. 


On occasion it is desirable to use an instruction with an operand that has no declared 
type. For example, if register BX points to a short integer variable, a programmer may 
want to code FIADD [BX]. This can be done by informing the assembler of the oper- 
and’s type in the instruction, coding FIADD DWORD PTR [BX]. The corresponding 
overrides for the other storage allocations are WORD PTR, QWORD PTR, and 
TBYTE PTR. 


The assembler does not, however, check the types of operands used in processor control 
instructions. Coding FRSTOR [BP] implies that the programmer has set up register BP 
to point to the location (probably in the SE where the processor’s at -byte state record 
has pee) previously saved. 


The initial values for numeric constants may be coded in sever different ways. Binary 
integer constants may be specified as bit strings, decimal integers, octal integers, or 
hexadecimal strings. Packed decimal values are normally written as decimal integers, 
although the assembler will accept and convert other representations of integers. Real 
values may be written as ordinary decimal real numbers (decimal point required), as 
decimal numbers in scientific notation, or as hexadecimal strings. Using hexadecimal 
strings is primarily intended for defining special values such as infinities, NaNs, and 
denormalized numbers. Most programmers will find that ordinary decimal and scientific 
decimal provide the simplest way to initialize numeric constants. Figure 18-2 compares 
several ways of setting the various numeric data types to the same initial value. 


Table 18-2. ASM386/486 Storage Allocation Directives | 


| Directives Interpretation 7 ~ Data Types | 


Define Word Word integer 


Define Doubleword _ Short integer, short real 
Define Quadword ‘Long integer, long real 
Define Tenbyte - = Packed decimal, temporary real 
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s THE FOLLOWING ALL ALLOCATE THE CONSTANT: -126 
; NOTE TWO’S COMPLETE STORAGE OF NEGATIVE BINARY INTEGERS. 


FORCE WORD ALIGNMENT 
BIT STRING 
HEX STRING MUST START 


1 EVEN 1 
; WITH DIGIT 


WORD_INTEGER DW 111117110000 108 
SHORT_INTEGER DD OFFFFFFS82H 


ORDINARY DECIMAL 

NOTE PRESENCE OF ‘.' 
"SCIENTIFIC" 

ORDINARY DECIMAL INTEGER 


LONG_LINTEGER D@ -126 
SEINGLE_REAL DD -126.0 
DOUBLE_REAL DD. =ti26be2 
PaERED DECIMAL DT -126 
IN THE FOLLOWING, SIGN AND EXPONENT IS ‘C005’ 
SITGNIFICAND 1S ‘7E00...00%, ‘R’ INFORMS ASSEMBLER THAT 
THE STRING REPRESENTS A REAL DATA TYPE. 


EXTENDED_REAL DT OCOOSTEDDODNDN0000000R 3 3 HEX STRING 
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Figure 18-2. Sample Numeric Constants 


Note that preceding numeric variables and constants with the ASM386/486 EVEN direc- 
tive ensures that the operands will be word-aligned in memory. The best performance is 
obtained when data transfers are double-word aligned. All numeric data types occupy 
integral numbers of words so that no storage is “wasted” if blocks of variables are 
defined together and preceded by a single EVEN declarative. 


18.1.4.2 RECORDS AND STRUCTURES | 


The ASM386/486 RECORD and STRUC (structure) declaratives can be very useful in 
numeric programming. The record facility can be used to define the bit fields of the 
control, status, and tag words. Figure 18-3 shows one definition of the status word and 
how it might be used in a routine that polls the FPU until it has completed an 
instruction. | 


Because structures allow different but related data types to be grouped together, they 
often provide a natural way to represent “real world” data organizations. The fact that 
the structure template may be “moved” about in memory adds to its flexibility. 
Figure 18-4 shows a simple structure that might be used to represent data consisting of a 
series of test score samples. This sample structure can be reorganized, if necessary, for 
the sake of more efficient execution. If the two double real fields were listed before the 
integer fields, then (provided that the structure is instantiated only at addresses divisible 
by eight) all the fields would be optimally aligned for efficient memory access and cach- 
ing. A structure could also be used to define the organization of the information stored 
and loaded by the FSTENV and FLDENV instructions. 


18-5 


intel ; NUMERIC APPLICATIONS 


; RESERVE SPACE FOR STATUS WORD 
STATUS WORD 
; LAY OUT STATUS WORD FIELDS 
STATUS RECORD 
BUSY: 1, 
COND_CODE3: i; 
STACK_TOP: ce 
COND _CODE2: i 
COND CODE1; i 
COND_CODED: i; 
INT_REQ: 1, 
1, 
1, 
Va 
lig 
1, 
1, 


I_FLAG: { 
REDUCE UNTIL COMPLETE 
EDUCE: FPREM! 
FNSTSW STATUS _WORD 
TEST STATUS _WORD, MASK _COND_CODE2 
JNZ REDUCE : 


Figure 18-3. Status Word Record Definition | 


SAMPLE  STRUC 


N_OBS DD SHORT INTEGER 


’ 
MEAN DQ ? + DOUBLE REAL 
9 


MODE DW + WORD INTEGER 
STD_DEV DQ ? ; DOUBLE REAL 
* ARRAY OF OBSERVATIONS -- WORD INTEGER 
TEST_SCORES DW 1000 DUP (7) 
SAMPLE | ENDS 


Figure 18-4. Structure Definition 


18.1.4.3 Addressing | Methods | 
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Numeric data i in memory can 1 be accessed with any of the memory gddieecite methods 
provided by the ModR/M byte and (optionally) the SIB byte. This means that numeric 
data types can be incorporated in data aggregates ranging from simple to complex 
according to the needs of the application. The addressing methods and the ASM386/486 
notation used to specify them in instructions make the accessing of structures, arrays, 
arrays of structures, and other organizations direct and straightforward. Table 18-3 gives 
several examples of numeric instructions coded wie operands that illustrate meron 


addressing methods. 
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Table 18-3. Addressing Method Examples 


FIADD ALPHA ALPHA is a simple scalar (mode is direct). 
FDIVR ALPHA.BETA BETA is a field in a structure that is “overlaid” on ALPHA 
(mode is direct). 


FMUL QWORD PTR [BX] BX contains the address of a long real variable (mode is 
register indirect). 


FSUB ALPHA [Sl] ALPHA is an array and SI contains the offset of an array 
element from the start of the array (mode is indexed). 

FILD [BP].BETA BP contains the address of a structure on the CPU stack 
and BETA is a field in the structure (mode is based). 

FBLD TBYTE PTR [BX] [DI] BX contains the address of a packed decimal array and DI 
contains the offset of an ey element (mode is based 
indexed). 


18.1.5 Comparative Programming Example 


Figures 18-5 and 18-6 show the PL/M-386/486 and ASM386/486 code for a simple 
numeric program, called ARRSUM. The program references an array (X$ARRAY), 
which contains 0-100 single real values; the integer variable NSOF$X indicates the num- 
ber of array elements the program is to consider. ARRSUM — through X$ARRAY 
accumulating three sums: 


e SUMS$X, the sum of the array values 


e SUMS$INDEXES, the sum of each array value times its index, where the index of the 
first element is 1, the second is 2, etc. 


o SUM$SQUARES, the sum of each array element icied: 


(A true program, of course, would go beyond these steps to store and use ‘the results of 
these calculations.) The control word is set with the recommended values: round to 
nearest, 64-bit precision, interrupts enabled, and all exceptions masked except invalid 
operation. It is assumed that an exception handler has been written to field the invalid 
operation if it occurs, and that it is invoked my interrupt pomey 16. 7 


The PL/M- 386/486 version of ARRSUM (Figure 18-5) is vety straightforward nd illus- 
trates how easily the numerics capabilities of the Intel486 processor can be used in this 
language. After declaring variables, the program calls built-in procedures to initialize the 
FPU and to load to the control word. The program clears the sum variables and then 
steps through X$ARRAY with a DO-loop. The loop control takes into account 
PL/M-386/486’s practice of considering the index of the first element of an array to be 0. 
In the computation of SUM$INDEXES, the built-in procedure FLOAT converts I+1 
from integer to real because the language does not support ‘ ‘mixed mode”’ arithmetic. 
One of the strengths of the Intel486 FPU, of course, is that it does support arithmetic on 
mixed data types (because all values are converted ni to the 80-bit es 
precision real format). isn | 
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Pete pa eee eae ee eee emer ere 
* 5 Pas she ai a * 
* ol fe catia alee MODDULE i: 
* * 
{BABII III IIIA AAAI 


| array$sum: do; 


declare (sum$x, ‘sumbindexes, ‘sun$squares) real; 
declare x$array(100) real; 

declare (nsof$x, i) integer; 

| declare contlel’s eo erecta '033eh'; 


ye Assume x$array ain nof$x: are "initialized - 
call init$SrealSmath$unit; : 
call set$real$mode(control $ FPU); 


/* Clear sums */ 
shalladal BURP IOGERES Pace de aa = 0.0; 


dul neon chfouali: array, seemnulaeine sums */ 
do i = 0 to n$of$x: - 1; : ? 
sum$x = sum$x + x$array(i); 
sum$indexes = sum$indexes + (x$array(i)*float(i+1)); 
sum$squares = sum$squares + (x$array(i)*x$array(i)); 


end; 
{* etc. */ 


end array$sum; 
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The ASM386/486 version (Figure 18- 6) defines the axcuial procedure INITFPU, which 
parent to the source code. After defining the data and setting up the segment registers 
and stack pointer, the program calls INITFPU and loads the control word. The compu- 
tation begins with the next three instructions, which clear three registers by loading 
(pushing) zeros onto the stack. As shown in Figure 18-7,.these registers remain at the 
bottom of the stack throughout the computation while enor values are pushed on 
and Popped off the eee avove ace | : 


The program: uses the LOOP ree to control its iteration through X_ARRAY; 
register ECX, which LOOP automatically decrements, is loaded with N-OF_X,.the num- 
ber of array elements to.be summed. Register. ESI is used to select (index) the array 
elements. The program steps through X_ARRAY from back to front, so ESI is initialized 
to point at the element just beyond the first element to be processed. The ASM386/486 
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name arraysum 
: Define initialization routine 
extrn init FPU: far 


; Allocate space for data 


data segment rw public 
control_FPU dw 033eh | 
n_of_x dd ? 

X_array dd 100 dup (7?) 


sum_squares dd ? 
sum_indexes dd ? 
sum_X dd ? 
data ends | 


* Allocate CPU stack space .. 
stack stackseg 400 
» Begin code 
code segment er public 
assume ds:data, ss:stack 
start: 

ax, data 

ds, ax 

ax, stack 

eax, Oh 

SS, ax 


esp, stackstart stack 


> Assume x_array and n_of_x have 
; been initialized 


- Prepare the FPU or its emulator | 


call initFPU 
fldcw control_FPU 


- Clear three registers to hold 
* running sums 


—Fldz 


fldz 
fldz 
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Figure 18-6. Sample ASM386/486 Program 
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: Setup ECX as loop counter and ESI 
; as index into x_array 


mov ecx, n_of_x 
imul ecxX 
mov esi, eax 


; ESI now contains index of last 
; element + 1 a 

; Loop through x_array and 

; accumulate sum 


sum_next: ; 
; backup one element and push on 
7 the stack _ 


sub esi, type X_array 
fld x_array[esi] © 


; add to the sum and duplicate x 
; on the stack 


fadd st(3), st 
fld st 


; square it and add into the sum of 
* (index+1) and discard 


~ fmul st, st 
faddp st(2), st 


» reduce index for next iteration 


dec n_of_x | 
loop  sum_next 


; Pop sums into memory 


pop_results: 
fstp sum_Squares 
fstp sum_indexes © 
fstp sum_X_ 
_fwait 


- Etc. 


f 
code ends 
end start, ds:data, ss:stack 
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Figure 18-6. Sample ASM386/486 Program (Contd.) 
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FLDZ, FLDZ, FLDZ | FLD X_ARRAY{SI] 
SUM_SQUARES _ ST(0) | X_ARRAY (19) 
SUM_INDEXES ST(1) | SUM_SQUARES 
SUM_X. ! | SuM_INDEXES 


SUM_X 


| X_ARRAY (19) ST(O) | X_ARRAY (19) 


| SUM_SQUARES —ST(1) | | X_ARRAY(19) 
| SUM_INDEXES —ST(2) | | SUM_SQUARES 
| SUM_X ST(3) | SUM_INDEXES 


1 sum_x 


| X_ARRAY (19) 
ST(1) | SUM_SQUARES 
ST(2) | 1 SUM_INDEXES 


— ST(3) | 


| X_ARRAY (19)'20 ST(O) | | SUM_SQUARES 
SUM_SQUARES __ ST(1) | } SUM_INDEXES 
SUM_INDEXES ST(2) | | SUM_X 


| SUM_X 


240486i18-7 


Figure 18-7. Instructions and Register Stack 


TYPE operator is used to determine the number of bytes in each array element. This 
permits changing X_ARRAY to a double-precision real array by simply ones its 
definition (DD to DQ) and peaeseuipEne 


Figure 18-7 shows the effect of the instructions in the program loop on the FPU register 
stack. The figure assumes that the program is in its first iteration, that N-OF_X is 20, and 
that X_ ARRAY(19) (the 20th element) contains the value 2.5. When the loop termi- 
nates, the three sums are left as the top stack elements so that the program ends by 
simply popping them into memory variables. 
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18.2 CONCURRENT PROCESSING 


Because the Intel486 Integer Unit and FPU are separate execution units, it is possible 
for the FPU to execute numeric instructions in parallel with instructions executed by the 
IU. This simultaneous execution of different instructions is called concurrency. 


No special programming techniques are required to gain the advantages of concurrent 
execution; numeric instructions for the FPU are simply placed i in line with the instruc- 
tions for the IU. Integer and numeric instructions are initiated in the same order as they 
are encountered in the instruction stream. However, because numeric operations per- 
formed by the FPU generally require more time than integer operations, the IU can 
often execute several of its instructions before the FPU ii aa a numeric instruction 
previously initiated. : | 


This concurrency offers obvious advantages in terms of execution performance, but con- 
currency also imposes several rules that must be observed in order to assure proper 
synchronization of the IU and FPU. . 


All Intel high-level languages automatically provide for and manage concurrency in the 
FPU. Assembly-language programmers, however, must understand and manage some 
areas of concurrency in exchange for the flexibility and performance of programming in 
assembly language. This section is for the oe language programmer or well- 
informed high-level-language programmer. 


18.2.1 Managing Concurrency 


The activities of numeric programs can be split into. two major areas: program control 
and arithmetic. The program control part performs activities such as deciding what func- 
tions to perform, calculating addresses of numeric operands, and loop control. The arith- 
metic part simply adds, subtracts, multiplies, and performs other operations on the 
numeric operands. The Tntel486 processor is designed to handle these two parts sepa- 
rately and efficiently. 


Concurrency management is required to check for an exception before letting the pro- 
cessor change a value just used by the FPU. Almost any numeric instruction can, under 
the wrong circumstances, produce a numeric exception. For programmers in higher-level. 
languages, all required synchronization is automatically provided by the appropriate 
compiler. For assembly-language programmers exception synchronization remains the 
eapOUSEY of the programmer. 


Aecoisstienion is that a programmer may. not expect his numeric program to cause 
numeric exceptions, but in some systems, they may regularly happen. To better under- 
stand these points, consider what can happen when the FPU detects an exception. 
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Depending on options determined by the software system designer, the Intel486 proces- 
sor can perform one of two things when a numeric exception occurs: 


e The FPU can provide a default fix-up for selected numeric exceptions. Programs can 
mask individual exception types to indicate that the FPU should generate a safe, 
reasonable result whenever that exception occurs. The default exception fix-up activ- 
ity is treated by the FPU as part of the instruction causing the exception; no external 
indication of the exception is given. When exceptions are detected, a flag is set in the 
numeric status register, but no information regarding where or when is available. If 
the FPU performs its default action for all exceptions, then the need -for exception 
synchronization is not manifest. However, as will be shown later, this is not sufficient 
reason to ignore exception synchronization when designing programs that use the 
FPU. 


e As an alternative to the default fix-up of numeric exceptions, the IU can be notified 
whenever an exception occurs. When a numeric exception is unmasked and the 
exception occurs, the FPU stops further execution of the numeric instruction and 

_ signals this event. On the next occurrence of an ESC or WAIT instruction, the pro- 
cessor traps to a software exception handler. The exception handler can then imple- 
ment any sort of recovery procedures desired for any numeric exception detectable by 
the FPU. Some ESC instructions do not check for exceptions. These are the nonwait- 
ing forms FNINIT, FNSTENV, FNSAVE, FNSTSW, FNSTCW, and FNCLEX. 


When the FPU signals an unmasked exception condition, it is requesting help. The fact 
that the exception was unmasked indicates that further numeric program execution 
under the arithmetic and programming rules of the FPU is unreasonable. 


If concurrent execution is allowed, the state of the processor when it recognizes the 
exception is undefined. It may have changed many of its internal registers and be exe- 
cuting a totally different program by the time the exception occurs. To handle this situ- 
ation, the FPU has special registers updated at the start of each numeric instruction to 
describe the state of the numeric program when the failed instruction was attempted. 


Exception synchronization ensures that the FPU is in a well-defined state after an 
unmasked numeric exception occurs. Without a well-defined state, it would be impossi- 
ble for exception recovery routines to determine why the numeric exception occurred, or 
to recover successfully from the exception. 


The following two sections illustrate the need to always consider exception synchroniza- 
tion when writing numeric code, even when the code is initially intended for execution 
with exceptions masked. If the code is later moved to an environment where exceptions 
are unmasked, the same code may not work correctly. An example of how some instruc- 
tions written without exception synchronization will work initially, but fail when moved 
into a new environment, is shown in Figure 18-8. 


18.2.1.1 INCORRECT EXCEPTION SYNCHRONIZATION 


In Figure 18-8, three instructions are shown to load an integer, calculate its square root, 
then increment the integer. The synchronous execution of the FPU will allow this pro- 
gram to execute correctly when no exceptions occur on the FILD instruction. 
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INCORRECT ERROR SYNCHRONIZATION 


COUNT 3; FPU instruction 
COUNT | integer instruction alters operand 
; subsequent FPU instruction -- error from 
previous FPU instruction detected here 


PROPER ERROR SYNCHRONIZATION 


~~ COUNT 6} FPU instruction 
| ; subsequent FPU instruction -- error from 
previous FPU instruction detected here 
COUNT ; integer instruction alters operand 
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Figure 18-8. Exception Synchronization Examples 


This situation changes if the numeric register stack is extended to memory. To extend 
the FPU stack to memory, the invalid exception is unmasked. A push to a full Reeistel or 
pop from an empty register sets SF and causes an invalid exception. | 


The recovery routine for the exception must recognize this situation, fix up the stack, 
then perform the original operation. The recovery routine will not work correctly in the 
first example shown in the figure. The problem is that the value of COUNT is incre- 
mented before the exception handler is invoked, so that the recovery routine will load an 
incorrect value of COUNT, causing the program to fail or behave unreliably. » 


18.2.1.2 PROPER EXCEPTION SYNCHRONIZATION 


Exception synchronization relies on the WAIT instruction. Whenever an unmasked 
numerical exception occurs, the FPU asserts an error-condition signal internal to the 
processor. When the next WAIT instruction (or non-control ESC instruction) is encoun- 
tered, the error-condition signal is acknowledged and a software exception handler is 
invoked. (See Chapter 16 for a more detailed discussion of the various floating-point 
error-reporting mechanisms.) If this WAIT or ESC instruction is properly placed, the 
processor will not yet have disturbed any information vital to recovery from the 
peed 
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CHAPTER 19 _ 
SYSTEM-LEVEL CONSIDERATIONS 


System programming for Intel486 processor systems requires a more detailed under- 
standing of the FPU than does application programming. Such things as initialization, 
exception handling, and data and error synchronization are all the responsibility of the 
systems programmer. These topics are covered in detail in the sections that follow. 


19.1 ARCHITECTURE 


On a software level, the FPU appears as an extension of the Integer Unit. On the 
hardware level, however, the mechanisms by which the FPU and IU interact are more 
complex. This section describes this interaction and points. out eretelce that are of inter- 
est to systems programmers. 


19.1.1 Independent of Addressing Mode 


Unlike the Intel287 NPX (but like the Intel387 NPX), the FPU of the Intel486 proces- 
Sor operates the same regardless of whether the processor is operating i in real-address 
mode, in 1 protected mode, or in virtual 8036 mode. — | 


Numeric instructions can utilize any memory location accessible by the task currently 
executing. When operating in protected mode, all references to memory operands are 
automatically verified by the memory management and protection mechanisms as for any 
other memory references by the currently-executing task. Protection violations associ- 
ated with numeric instructions automatically cause the processor to trap toi an appropri- 
ate exception handler. | 


To the numerics programmer, the operating mode affects only the manner in which the 
FPU instruction and data pointers are represented in memory following an FSAVE or 
FSTENV instruction. Each of these instructions produces one of four formats depending 
on both the operating mode and on the operand-size attribute in effect for the instruc- 
tion. The differences are detailed in the discussion of the FSAVE and FSTENYV instruc- 
tions in Chapter 26. 


19.2 PROCESSOR INITIALIZATION AND CONTROL | 


One of the principal responsibilities of systems software is the initialization, monitoring, 
and control of the hardware and software resources of the system, including the FPU. In 
this section, issues related to system initialization and control are described, including 
the handling of exceptions that may occur during the execution of numeric instructions. 
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19.2.1 System Initialization 


During initialization of an Intel486 processor syste systems software must initialize the 
FPU and set flags in CRO to reflect the state of the numeric environment. Refer to 
Section 3.11 (Figure 3-23) to determine the presence of an -Intel486 FPU. These activi- 
ties can be quickly and easily performed as part of the overall system initialization. 


19.2.2 Configuring the Numerics Environment 


System software must load the appropriate values into the MP, EM, and NE bits of the 
CRO control register. | 


The MP (Monitor coProcessor) bit determines whether WAIT instructions trap when 
the context of the FPU is different from that of the currently executing task. If MP = 1 
and TS = 1, then a WAIT instruction will cause a Device Not Available fault (interrupt 
vector 7). The MP bit was used on the 286 and Intel386 DX microprocessors to support 
the use of a WAIT instruction to wait on a device other than a numeric coprocessor. The 
device would report its status through the BUSY# pin. It should be set for processors 
with integrated FPU and reset in the Intel486 SX CPU. | _ 


The EM (EMulate coprocessor) bit determines whether ESC instructions are executed 
by the FPU (EM = 0) or trap via interrupt vector 7 to be handled by software (EM = 
1). The EM bit was used on the Intel386 DX microprocessor so that numeric applica- 
tions written for an Intel386 DX CPU/Intel387 DX system could be run in the absence 
of an Intel387 DX coprocessor with a software Intel387 DX emulator. For normal oper- 
ation of the Intel486 FPU, the EM bit should be cleared to 0. The EM bit must be set in 
the Intel486 SX CPU. 


The NE (Numeric Exception). bit determines whether unmasked floating- -point excep- 
tions are handled through interrupt vector 16 (NE = 1) or through external interrupt 
(NE =0). In systems using an external interrupt controller to invoke numeric exception 
handlers, the NE bit should be cleared to 0. Other systems can make use of the auto- 
matic error reporting through interrupt 16, and should set the NE bit to 1. See Section 
19.2.4 for a on ws numeric Che B ton pene: aan 


19.2.3 Initializing the FPU 


Initializing the FPU simply means sina the FPU ina known state unaffected by any 
activity performed earlier. A single FNINIT instruction performs this initialization. All 
the error masks are set, all registers are tagged empty, TOP is set to zero, and default 
rounding and precision controls are set. Table 19-1 shows the state of the FPU following 
FINIT or FNINIT. | 


The FNINIT instruction leaves the FPU in the same state as that which results from a 
hardware RESET signal with Built-In Self-Test. When the Built-In Self-Test is not 
requested, a hardware RESET nae the ee state pecans An FNINIT instruction 
should be executed after reset. 
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Table 19-1. FPU State Following Initialization 


Control Word 037FH 
(Infinity Control) * 0 Affine 
Rounding Control | 00 Round to nearest 
Precision Control 11 64 bits 
Exception Masks 441994 | All exceptions masked 


Status Word 
(Busy) : _ 
Condition Code a 
Stack Top . - Register 0 is stack top 
Exception Summary | } ' No exceptions 
Stack Flag | | | _ oer 4. 
Exception Flags 000000 No exceptions 


Tag Word FFFFH | 
Tags 11 Empty 


Exception Pointers . -_ 
Instruction Code Cleared 
Instruction Address ~ Cleared 

~ Operand Address | Cleared 


*The Intel486™ processor does not have infinity control. This value is listed to emphasize that programs 
written for the Intel287 math coprocessor may not behave the same on the Intel486 processor if they 
depend on this bit. 


19.2.3.1 Intel486 DX CPU SOFTWARE EMULATION 


Setting the EM bit to 1 will cause the Intel486 processor to trap via interrupt vector 7 
(Device Not Available) to a software exception handler whenever it encounters an ESC 
instruction. The EM bit was used to run numeric applications on an Intel386 processor 
with a software Intel387 emulator. Numeric applications designed to be run with a non- 
standard Intel387 emulator may not run successfully on the Intel486 processor without 
the emulator. Setting the EM bit to 1 makes it possible to run such applications, or 
programs which use non-standard floating-point arithmetic, on the Intel486 processor. 


19.2.3.2 Intel486 SX CPU SOFTWARE EMULATION PROCEDURE 


If the Intel487 SX math coprocessor is not present in the Intel486 SX system, floating 
point instructions can be emulated. The system is set up for software emulation 
accordingly: : | | 


CRO bit 

EM 1 
MP 0 
NE 1 
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The EM bit must be set in order for the Intel486 SX to function properly. Setting the 
EM bit to 1 will cause. the Intel486 processor to trap via interrupt vector 7 (Device Not 
Available) to a software exception handler whenever it encounters an ESC instruction. If 
the EM bit is set and no coprocessor or emulator is present, the system will hang. 


The MP bit is used in conjunction with the TS bit to determine if WAIT instructions 
should trap when the context of the FPU is different from that of the currently executing 
task. When no FPU is present, this information is irrelevent and ee the bit should 
be set to 0. 7 | 


Regardless of the value of the NE bit, the Intel486 SX processor will generate an inter- 
rupt vector 7 upon encountering any floating point instruction. It is recommended that 
NE be set to 1 for normal operation. If a Floating Point Unit is present, this bit follows 
the description described in | Section 19.2.4. | 


19.2.4 Handling Numerics Exceptions 


Once the FPU has been initialized and normal execution of applications: has been com- 
menced, the FPU may occasionally require attention in order to recover from numeric 
processing exceptions. This section provides details for writing software exception han- 
dlers for numeric exceptions. Numeric Peers peep dons have ae been intro- 
duced i in pee ay 16. | ae 


If the FPU encounters an unmasked exception condition, a software exception handler is 
invoked immediately before execution of the next WAIT or non-control floating-point 
instruction. The exception handler is invoked either through interrupt vector 16 or 
through an external interrupt, i on the value of the NE bit of the CRO control 
register. | | 


If NE = 1, an unmasked floating-point exception results in interrupt 16, immediately 
before the execution of the next non-control floating-point or WAIT instruction. Inter- 
rupt 16 is an operating-system call that invokes the exception handler. Chapter 9 con- 
tains a general discussion of exceptions and interrupts on the Intel486 processor. 


If NE = 0 (and the IGNNE#¥ input is inactive), an unmasked floating-point exception 
causes the processor to freeze immediately before executing the next non-control 
floating-point or WAIT instruction. The frozen processor waits for an external interrupt, 
which must be supplied by external hardware in response to the FERR# output of the 
processor. (Regardless of the value of NE, an unmasked numerical exception causes the 
FERR# output to be activated.) In this case, the external interrupt invokes the 
exception-handling routine. If NE = 0 but the IGNNE# input is active, the processor. 
disregards the exception and continues. Error reporting via external interrupt is sup- 

ported for DOS compatibility. Chapter 25 contains further discussion of company 
issues. 
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When handling numeric errors, the processor has two responsibilities: 
e It must not disturb the numeric context when an error is detected. 
e It must clear the error and attempt recovery from the error. 


Although the manner in which programmers may treat these responsibilities varies from 
one implementation to the next, most exception handlers will include these basic steps: 


e Store the FPU environment (control, status, and tag words, operand and instruction 
pointers) as it existed at the time of the exception. 


e Clear the exception bits in the status word. 
e Enable interrupts. 


e Identify the exception by examining the status and control words in the saved 
environment. 3 


e Take some system-dependent action to rectify the exception. 
e Return to the interrupted program and resume normal execution. 


19.2.5 Simultaneous Exception Response 


In cases where multiple exceptions arise simultaneously, the FPU signals one exception 
according to the precedence shown at the end of Chapter 16. This means, for example, 
that an SNaN divided by zero results in an invalid operation, not in a zero ewig’ 
exception. | oe 3 


19.2.6 Exception Recovery Examples 


Recovery routines for numeric exceptions can take a variety of forms. They can change 
the arithmetic and programming rules of the FPU. These changes may redefine the 
default fix-up for an error, change the appearance of the FPU to the programmer, or 
change how arithmetic is defined on the FPU. 


A change to an exception response might be to perform denormal arithmetic on denor- 
mals loaded from memory. A change in appearance might be extending the register stack 
into memory to provide an “infinite” number of numeric registers. The arithmetic of the 
FPU can be changed to automatically extend the precision and range of variables when 
exceeded. All these functions can be implemented on the Intel486 processor via numeric 
exceptions and associated recovery routines in a manner transparent to the application 
programmer. 


Some other possible application-dependent actions might include: 
e Incrementing an exception counter for later display or printing 


e Printing or displaying diagnostic information (e.g., the FPU environment and 
registers) 7 


e Aborting further execution 
e Storing a diagnostic value (a NaN) in the result and continuing with the computation 
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Notice that an exception may or may not constitute an error, depending on the applica- 
tion. Once the exception handler corrects the condition causing the exception, the 
floating-point instruction that caused the exception can be restarted, if appropriate. This 
cannot be accomplished using the IRET instruction, however, because the trap occurs at 
the ESC or WAIT instruction following the offending ESC instruction. The exception 
handler must obtain (using FSAVE or FSTENV) the address of the offending instruc- 
tion in the task that initiated it, make a copy of it, execute the copy in the context of the 
offending task, and then return via IRET to the current instruction stream. | 


In order to correct the condition causing the numeric exception, exception handlers must 
recognize the precise state of the FPU at the time the exception handler was invoked, 
and be able to reconstruct the state of the FPU when the exception initially occurred. To 
reconstruct the state of the FPU, programmers must understand when, during the exe- 
cution of a numeric instruction, exceptions are actually recognized. : 


Invalid operation, zero divide, and denormalized exceptions are detected before an 
operation begins, whereas overflow, underflow, and precision exceptions are not raised 
until a true result has been computed. When a before exception is detected, the FPU 
register stack and memory have not yet been updated, and appear as if the olenaine 
instructions has not been executed. 


When an 1 after exception is detected, the register stack and memory appear as if the 
instruction has run to completion; i.e., they may be updated. (However, in a store or 
store-and-pop operation, unmasked over/underflow is handled like a before exception; 
memory is not updated and the stack is not popped.) The programming examples con- 
tained in Chapter 20 include an outline of several exception handlers to process numeric 
exceptions. 
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CHAPTER 20 
NUMERIC PROGRAMMING EXAMPLES 


The following sections contain examples of numeric programs for the Intel486 processor 
written in ASM386/486. These examples are intended to illustrate some of the tech- 
niques useful for programming Intel486 processor systems for numeric applications. 


20.1 CONDITIONAL BRANCHING EXAMPLE 


As discussed in Chapter 15, seer numeric instructions post their patie to the condi- 
tion code bits of the FPU status word. Although there are many ways to implement 
conditional branching following a comparison, the basic approach is as OMe 


_ Execute the comparison. 
e Store the status word. (The FPU status word can 1 be stored directly into AX register.) 
e Inspect the condition code bits. 


e Jump on the result. 


Figure 20-1 is a code fragment that illustrates how two memory-resident double-format 
real numbers might be compared (similar code could be used with the FIST instruc- 
tion). The numbers are called A and B, and the comparison is A to B. 


The comparison itself requires loading A onto the top of the FPU register stack and 
then comparing it to B, while popping the stack with the same instruction. The status 
word is then written into the AX RCESteh 


A and B have four possible paceriaae, and bits C3, C2, and C0 of the condition code 
indicate which ordering holds. These bits are positioned in the upper byte of the FPU 
status word so as to correspond to the zero, parity, and carry flags (ZF, PF, and CF), 
when the byte is written into the flags. The code fragment sets ZF, PF, and CF of the 
EFLAGS register to the values of C3, C2, and CO of the FPU status word, _and then uses 
the conditional jump instructions to test the ee The Sune code is extremely com- 
pact, requiring only seven instructions. | : 


The FXAM instruction idan all aun condition code bits. Figure 20- Z Rows how a 
jump table can be used to determine the characteristics of the value examined. The jump 
table (FXAM_TBL) is initialized to contain the 32-bit displacement of 16 labels, one for 
each possible condition code setting. Note that four of the table entries contain the same 
value, “EMPTY.” The first two condition code settings correspond to “EMPTY.” The 
two other table entries that contain “EMPTY” will never be used on the Intel486 pro- 
cessor or the Intel387 math coprocessors, but may be used if the code is executed with 
an Intel287 math coprocessor. , | | 


The program fragment performs the FXAM and stores the status word. It then manip- 
ulates the condition code bits to finally produce. a number. in register AX that equals the 
condition code.times 2. This involves zeroing the unused bits in the byte that contains 
the code, shifting C3 to the right so that it is adjacent to C2, and then shifting the code 
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FLD h ; LOAD A ONTO TOP OF FPU STACK 
FCOMP B ; COMPARE A:B, POP A 
FSTSW AX ; STORE RESULT TO AX REGISTER 


CPU AX REGISTER. CONTAINS CONDITION CODES 
(RESULTS OF COMPARE) © 
LOAD CONDITION CODES INTO FLAGS 


SAHE 
) USE CONDITIONAL JUMPS TO DETERMINE ORDERING OF A TO B- 

JP. A_B_UNORDERED . TEST C2 (PF) 

JB ALLESS . TEST CO (CF) 


JE A_EQUAL ; TEST C3 (ZF) 
 ALGREATER: 2, ¢-C0 CORD = 0,03 (ZF) = 


A_EQUAL: te OE so C0 CCR). C3 (ZF) = 


ACLESS? gO CCR) = 1, 03 CZF) = 


h_B_UNORDERED: ee 10D CPE) 
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Figure 20-1. Conditional Branching for Compares | 


to multiply it by 2. The resulting value is used as an index that selects one of the dis- 
placements from FXAM_TBL (the multiplication of the condition code is required 
because of the 2-byte length of each value in FXAM_TBL). The unconditional JMP 
instruction effectively vectors through the jump table to the labeled routine that contains 
code (not shown in the oar’) to process each” possible result. of the FXAM 
instruction. : : ? “n 


20.2 EXCEPTION HANDLING EXAMPLES 
There are many approaches to writing exception handlers. One useful technique is to 


consider the exception handler procedure as consisting of ° ‘prologue,” “body,” ane ‘epi- 
logue” sections of code. ane procedure is invoked via interrupt number 16. : 
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* JUMP TABLE FOR EXAMINE ROUTINE 


FXAM_TBL DD POS_UNNORM, POS NAN, NEG_UNNORM, NEG_NAN, 
POS_NORM, POS_INFINITY, NEG_NORM, 
NEG_INFINITY, POS_ZERO, EMPTY, NEG_ZERO, 
EMPTY, POS_DENORM, EMPTY, NEG_DENORM, EMPTY 


EXAMINE ST AND STORE RESULT (CONDITION CODES) 


FXAM 
XOR EAX,EAX ; CLEAR EAX 
~FSTSW AX 
CALCULATE OFFSET INTO JUMP TABLE 
AX, 0100011100000000B 3; CLEAR ALL BITS EXCEPT C3, C2-C0 
EAX,6 + SHIFT C2-C0 INTO PLACE (O00XXX00) 
AH,4 ; POSITION C3 (00xX00000) 
AL, AH ; DROP C3 IN ADJACENT TO C2 COOXXXK00) 
AH, AH * CLEAR OUT THE OLD COPY OF C3 
JUMP TO THE ROUTINE ‘ADDRESSED’ BY CONDITION CODE 
JUMP FXAM_TBLUEAX] 


HERE ARE THE JUMP TARGETS, ONE TO HANDLE 
EACH POSSIBLE RESULT OF FXAM 


POS_UNNORM: 
POS_NAN: 
NEG_UNNORM: 
NEG_NAN: 
POS_NORM: 
POS_INFINITY: 
NEG_NORM: 
NEG_INFINITY: 
POS_ZERO: 
EMPTY: 
NEG_ZERO: 

POS _DENORM: 
NEG_DENORM: 
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Figure 20-2. Conditional Branching for FXAM 
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In the transfer of control to the exception handler, interrupts have been disabled by 
hardware. The prologue performs all functions that must be protected from possible 
interruption by higher-priority sources. Typically, this involves saving registers and trans- 
ferring diagnostic information from the FPU to memory. When the critical processing 
has been completed, the prologue may re-enable interrupts to allow higher-priority 
interrupt handlers to preempt the exception handler. 


The body of the exception handler examines the diagnostic information and makes a 
response that is necessarily application-dependent. This response may range from halt- 
ing execution, to displaying a message, to attempting to repair the problem and proceed 
with normal execution. 


The epilogue essentially reverses the actions of the prologue, restoring the processor so 
that normal execution can be resumed. The epilogue must not load an unmasked excep- 
tion flag into the FPU or another exception will be requested immediately. 


Figures 20-3, through 20-5 show the ASM386/486 coding of three skeleton exception 
handlers. They show how prologues and epilogues can be written for various situations, 
but provide comments indicating only where the application a cc ed ale han- 
dling body should be placed. 


SAVESADL PROC 


+ GAVE REGISTERS, “ALLOCATE STACK SPACE 
FOR FPU STATE IMAGE 
PUSH EBP 
MOV. “EBP ESP 
SUB ESP,108 
SAVE FULL FPU STATE, ENABLE INTERRUPTS 
FNSAVE [EBP-108]_ - 
oe) 


APPLICATION-DEPENDENT EXCEPTION HANDLING 
CODE GOES HERE 


CLEAR EXCEPTION FLAGS IN STATUS WORD 
(WHICH IS IN MEMORY) 

RESTORE MODIFIED STATE IMAGE 
MOV BYTE PTR CEBP-104], OH 
FRSTOR [EBP-108) 

DEALLOCATE STACK SPACE, RESTORE REGISTERS 
MOVEOESPS ERP 


POP EBP 

; RETURN TO INTERRUPTED CALCULATION 
RET 

SAVE_ALL ENDP 
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Figure 20-3. Full-State Exception Handler 
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SAVE_ENVIRONMENT PROC 


) SAVE REGISTERS, ALLOCATE STACK SPACE 
; FOR FPU ENVIRONMENT 
PUSH EBP 


BBP E-oP 
SUB ESP ,28 
SAVE ENVIRONMENT, ENABLE INTERRUPTS 
PNS-TLENV: [TE BP =26)) 
oll 


APPLICATION EXCEPTIQN-HANDLING CODE GOES HERE 


CLEAR EXCEPTION FLAGS IN STATUS WORD 
(WHICH IS IN MEMORY) | 

RESTORE MODIFIED ENVIRONMENT IMAGE 
MOV BYTE “PTR CEBPs2414.° 0:8 
FLDENV CEBP-28) 

DE-ALLOCATE STACK SPACE, RESTORE REGISTERS 
MOV Econ y EB P 
POP EBP 


, RETURN TO INTERRUPTED CALCULATION 
IRET | 
SAVE_ENVIRONMENT ENDP 
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Figure 20-4. Reduced-Latency Exception Handler 


Figures 20-3 and 20-4 are very similar; their only substantial difference is their choice of 
instructions to save and restore the FPU. The tradeoff here is between the increased 
diagnostic information provided by FNSAVE and. the, faster execution of FNSTENV. 
For applications that are sensitive to interrupt latency or that do not need to examine 
register contents, FNSTENV reduces the duration of the “critical region,” during which 
the processor does not recognize another interrupt request. 


After the exception handler body, the epilogues prepare the processor to resume execu- 
tion from the point of interruption (i.e., the instruction following the one that generated 
the unmasked exception). Notice that the exception flags in the memory image that is 
loaded into the FPU are cleared to zero prior to reloading (in fact, in these examples, 
the entire status word image is cleared). 


The examples in Figures 20-3 and 20-4 assume that the exception handler itself will not 
cause an unmasked exception. Where this is a possibility, the general approach shown in 
_ Figure 20-5 can be employed. The basic technique is to save the full FPU state and then 
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LOCAL CONTROL DW 2? 3 ASSUME INITIALIZED 


REENTRANT | PROC 


:; SAVE REGISTERS, ALLOCATE STACK SPACE FOR 
; FPU STATE IMAGE 
PUSH EBP 


MOV EBP,ESP | 
SUB ESP,108 
: SAVE STATE, LOAD NEW CONTROL WORD, 
ENABLE INTERRUPTS | 
FNSAVE [EBP-108] 
FLDCW  LOCAL_CONTROL 
STI 


APPLICATION EXCEPTION HANDLING CODE GOES HERE. 
AN UNMASKED EXCEPTION GENERATED HERE WILL 
CAUSE THE EXCEPTION HANDLER TO BE -REENTERED. 
IF LOCAL STORAGE IS NEEDED, IT MUST BE 
ALLOCATED ON THE STACK. ’ 


CLEAR EXCEPTION FLAGS IN STATUS WORD 
(WHICH IS IN MEMORY) 
RESTORE MODIFIED STATE IMAGE 
MOV BYTE PTR [EBP-1041,. OH 
FRSTOR ([EBP-108] | | 
DE-ALLOCATE STACK SPACE, RESTORE REGISTERS 
MOV. ESP,EBP. > 


7 POP EBP | 

» RETURN TO POINT OF INTERRUPTION 

TRET 9 , i | 
REENTRANT hat 4 ENDP 
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Figure 20-5. Reentrant Exception Handler 
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to load a new control word in the prologue. Note that considerable care should be taken 
when designing an exception handler of this type to prevent the handler from being 
reentered endlessly. 


20.3 FLOATING-POINT TO ASCII CONVERSION EXAMPLES 


Numeric programs must typically format their results at some point for presentation and 
inspection by the program user. In many cases, numeric results are formatted as ASCII 
strings for printing or display. This example shows how floating-point values can be 
converted to decimal ASCII character strings. The function shown in Figure 20-6 can be 
invoked from PL/M-386/486, Pascal-386/486, FORTRAN-386/486, or _ ASM386/486 
routines. 


Shortness, speed, and accuracy were chosen rather than providing the maximum number 
of significant digits possible. An attempt is made to keep integers in their own domain to 
avoid unnecessary conversion errors. 


Using the extended precision real number format, this routine achieves a worst case 
accuracy of three units in the 16th decimal position for a noninteger value or integers 
greater than 10'°. This is double precision accuracy. With values having decimal expo- 
nents less than 100 in magnitude, the accuracy is one unit in the 17th decimal position. 


Higher precision can be achieved with greater care in programming, larger program size, 
and lower performance. 7 


20.3.1 Funciion Partitioning 


Three separate modules implement the conversion. Most of the work of the conversion 
is done in the module FLOATING_TO_ASCII. The other modules are provided sepa- 
rately, because they have a more general use. One of them, GET-_POWER_10, is also 
used by the ASCII to floating-point conversion routine. The other small module, 
TOS_STATUS, identifies what, if anything, is in the top of the numeric register stack. 


20.3.2 Exception Considerations 


Care is taken inside the function to avoid generating exceptions. Any possible numeric 
value is accepted. The only possible exception is insufficient space on the numeric reg- 
ister stack. | 


The value passed in the numeric stack is checked for existence, type (NaN or infinity), 
and status (denormal, zero, sign). The string size is tested for a minimum and maximum 
value. If the top of the register stack is empty, or the string size is too small, the function 
returns with an error code. 


Overflow and underflow is avoided inside the function for very large or very small 
numbers. : 


20-7 


intel. NUMERIC PROGRAMMING EXAMPLES 


SOURCE 


$title('Convert a floating point number to ASCII') 


name floating | to_ascii 


public floating to-ascii 
extrn get_power_ 10: near, ,tos_ status:near | 


This subroutine wilt Edgar inen oh point 
‘number in the top of the NPX stack to an ASCII 
string and separate power of 10 scaling value 
Cin binary). The maximum width of the ASCII string 
formed is controlled by a parameter which must be 
> 1. Unnormal values, denormal values, and psuedo 
zeroes will be correctly converted. However, unnormals 
and pseudo zeros are no longer supported formats on the i486 processor 
(in conformance with the IEEE floating point 
standard) and hence not generated internally. A 
~ returned value will indicate how many binary bits 
of precision were lost in an unnormal or denormal 
value. The magnitude (in terms of binary power) 
of a pseudo zero will also be indicated. Integers 
less than 10**18 in magnitude are accurately converted 
if the destination ASCII string field is wide enough 
to hold all the digits. Otherwise the value is converted 
to scientific notation. 


me we Se Be Bs Ws - 


me |e |e Me NSB Be “WE 


The status of the conversion is identified by the 
return value, it can be: 


conversion complete, ering: size is defined 
invalid arguments: 
exact integer | conversion, string. size is dee ined 
indefinite 
+ NAN (Not A Number) 
NAN 
+ Infinity 
Infinity 
pseudo zero found, string_size is defined 


. 
tf 
e 
g 
e 
tf 
e 
a 
® 
a 
e 
a 
. 
g 
° 
a 
e 
’ 
r 
a 
e 
s 
*: 
ra 
° 

_& 


e ™=e8 


CON OUE WD — © 


The PLM—386/486 calling convention is: | 


=e Se Ss Be Be WO We. 


floating _to_ascii: ; 
procedure (number ,denormal_ptr, string ptr, size_ptr, 
field_size, power_ptr) word external; 
declare (denormal_ptr,string_ptr,power_ptr,size_ptr) 
pointer; 
declare field_size word, 
-string_size based size_ptr word; 
declare number real; 
declare denormal integer based denormal ptr; 


=a 


s “ea 


240486i20-6of1 


Figure 20-6. Floating-Point to ASCII Conversion Routine 
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declare power integer based power ptr; 
end floating_to_ascii; 


The floating point value is expected to be 
on the top of the FPU stack. This subroutine 
expects 3 free entries on the FPU stack and 

_ will. pop the passed value off when done. The 
generated ASCII string will have a leading 
character either '-' or '+' indicating the sign 
of the value. The ASCII decimal digits will 
immediately follow. The numeric value of the 
ASCII string is (ASCII STRING. )*10**POWER. If 

' the given number was zero, the ASCII string will 
contain a sign and a single zero chacter. The 
value string_size indicates the total length of 
the ASCII string including the sign character. 
String(O) will always hold the sign. It is — 
possible for string size to be less than , 
field_size. This occurs for zeroes or integer 
values. A pseudo zero will return a special 
return code. The denormal count will indicate 

the power of two originally associated with the 
value. The power of ten and ASCII string will 
be as if the value was an ordinary zero. . 


This subroutine is accurate up to a maximum of © 
18 decimal digits for integers. Integer values 
will have a decimal power of zero associated 
with them. For non integers, the result will be 
accurate to within 2 decimal digits of the 16th 
decimal place(double precision). The exponentiate 
instruction is also used for scaling the value into 
the range acceptable for the BCD data type. The 
rounding mode in effect on entry to the 
subroutine is used for the conversion. 


The following registers are not transparent: 


eax ebx ecx edx esi edi eflags 


Define the stack layout. 


eX, 

ebp_ save equ dword ptr [ebp] 

es save equ ebp save + size ebp save 
return_ptr equ es save + size es_save 
power_ptr equ return_ptr + size return_ptr 
field_size equ power_ptr + size power_ptr 
size_ptr equ field_size + size field_size 
string ptr equ size ptr + size size ptr 
denormal_ptr equ string ptr + size string_ptr 


parms_size equ size power_ptr + size field_size + 
& size size_ptr + size string _ptr + 
& size denormal_ptr 
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Figure 20-6. Floating-Point to ASCII Conversion Routine (Conitd.). 
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» 
a 


: Define constants used 

BCD DIGITS equ 18 : Number of digits in bed_value 
WORD_SIZE | equ 4 | 
BCD_SIZE equ 10 7 : 

MINUS equi. ; Define return values 

NAN - equ 4 ; The exact values chosen 
INFINITY equ 6 ; here are important. They must 
INDEFINITE equ 3 * correspond to the possible return 
PSEUDO_ZERO equ. 8 ; values and be in the same numeric. 
INVALID equ “20 : order as tested by the program. 
ZERO | equ “4 ‘ | | 
DENORMAL equ -6 

UNNORMAL equ 8 

NORMAL . equ 0 

EXACT equ 2 

e 

: Define layout of temporary storage area. 

f . 

power_two equ word ptr [ebp - WORD SIZE] 

bed_value — equ tbyte ptr power_two - BCD_ SIZE - 

bed byte — equ byte ptr bed_ value 

fraction =~ equ pede value 

local_size equ size power_two + size bcd_value 

;: Allocate stack space for the temporaries so 

: . the stack will ee big enough 


apace eeneeees (local_sizet6) ; Allocate stack 


+1 Seject 


Figure 20-6. Floating-Point to ASCII Conversion Routine (Contd.) 


; space for locals 
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segment public er 
extrn power_table:qword 


Constants used by this function. 


even Optimize for 16 bits 
const10 dw 10 Adjustment value for 
: too big BCD 


' 
- Convert the C3,C2,C1,CO encoding from tos_status 
into meaningful bit flags and values. 


tatus table db UNNORMAL, NAN, UNNORMAL + MINUS, 
NAN + MINUS, NORMAL, INFINITY, 
NORMAL + MINUS, INFINITY + MINUS, 
ZERO, INVALID, ZERO + MINUS, INVALID, 
DENORMAL, INVALID, DENORMAL + MINUS, INVALID 


loating_to_ascii proc 
call tos_status » Look at status of ST(0) 
- Get descriptor from table 
‘Movzx eax, status_table[eax] 
cmp al, INVALID ; Look for empty ST(0) 
jne not_empty 
ST(0) is empty! Return the status value. 


ret parms_ size 


Remove infinity from stack and exit. 


found_infinity: | 
fstp st(0) > OK to leave fstp running 
jmp short exit_proc 


String space is too small! 
Return invalid code. 


small_string: 

mov al, INVALID 
exit_proc: 
leave ; Restore stack setup 
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Figure 20-6. Floating-Point to ASCII Conversion Routine (Contd.) 
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pop es 
ret parms_size 


+ ST(O) is NAN or indefinite. Store the 
+ value in memory and look at the fraction 
; field to separate indefinite from an ordinary NAN. 


NAN_or_indefinite: 


fstp fraction ; Remove value from stack 
| : for examination | - 
test al ,MINUS : Look at sign bit 
— fwait * Insure store is done 
jz. exit_proc : Can't be indefinite if 


3 positive 
mov ebx, OCOGO0000H ; Match against upper 32 


sbits of fraction 


: Compare bits 63-32 ai 
sub ebx, dword ptr fraction + 4 


; Bits 31-0 must be zero : 
or ebx, dword ptr fraction 
jnz exit_proc 


: Set return value for indefinite value 
mov al, INDEFINITE 


jmp exit_proc 

a > ; ‘ 

° Allocate stack space for local variables 

: and establish parameter addressibility. 

i 

not_empty: : 
push es : Save working register 
enter local_size, 0 » Setup stack addressing 


: Check for enough string space 


mov ecx, field_size 

cmp ecx,2 

jl small_string 

dec ecx » Adjust for sign character 


: See if string is too large for BCD 
cmp ecx,BCD_ DIGITS 
jbe size_ok 


> Else set maximum string size 
mov ecx,BCD_DIGITS 
size_ok: 
cmp al, INFINITY : Look for infinity 


; Return status value for + or - inf 
jge found_infinity 
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Figure 20-6. Floating-Point to ASCII Conversion Routine (Contd.) 
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cmp al ,NAN » Look for NAN or INDEFINITE 
jge NAN_or_indefinite 


Set default return values and check that 
the number is normalized. 


=e se “eo We 


fabs ; Use positive value only 
: sign bit in al has true sign of value 
edx, edx : Form 0 constant 
edj,denormal_ptr; Zero denormal count 
[edi], dx 
ebx,power_ptr ; Zero power of ten value 
Cebx], dx 
mov dl, al 
and dl, 1 
di, EXACT 
cmp al, ZERO : Test for zero 
jae convert_integer ; Skip power code if value 
| ; is zero 
fstp fraction 
fwait 
mov al, bed byte + 7 
or byte ptr bcd byte + 7, 80h 
fld fraction 
fxtract 
test al, 80h 
jnz normal_value 


fldi 

fsub 

ftst 

fstsw ax 

sahf 

jnz set_unnormal_count 


Found a pseudo zero 


fldlg2 : Develop power of ten estimate 
add dl, PSEUDO ZERO - EXACT 

fmulp st(2), st 

fxch : Get power of ten 

fistp word ptr [ebx] ; Set power of ten 

jmp convert_integer 


set_unnormal_count: 
fxtract . : Get original fraction, 
* now normalized 
fxch ; Get unnormal count 
fchs | 
fistp word ptr Cedi] ; Set unnormal count 


Calculate the decimal magnitude associated 
with this number to within one order. This 
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Figure 20-6. Floating-Point to ASCII Conversion Routine (Contd.) 
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error will always be inevitable due to 
rounding and lost precision. As a result, . 
we Will deliberately fail to consider the 
_LOG10 of the fraction value in calculating 
the order. Since the fraction will always 
be 1 <= F < 2, its LOG10 will not change 
the basic accuracy of the function. To 
get the decimal order of magnitude, simply 
multiply the power of two by LOG10(2) and 
truncate the result to an integer. 


normal_value: _ es oh | 
fstp ‘fraction "+ Save the fraction field 
: for later use 
fist power _two » Save power of two 
fldlg2 : Get LOG10(2) 
| i. eee ; Power_two is now safe to use 
fmul . =—————sg-:« Form LOG10¢of exponent of number) 
fistp word ptr Lebx] ; Any rounding mode — 
7 will work here 


Check if the magnitude of the number rules 
out treating it as an integer. 


CX has the maximum number of decimal digits 
al lowed. 


fwait | ; Wait for power_ten to be valid 


Get power of ten of value 
movsx si, word ptr [ebx] 
sub esi, ecx | ; Form scaling factor 
: necessary in ax | 
ja adjust_result ; Jump if. number will not fit 


The number is between 1 and 10**(field_size).. 
Test if it is an integer. 


fild power_two F Restore original. number 
sub dl ,NORMAL-EXACT ; Convert to exact return 
; value a 


fld fraction | ; B . | 
fscale ': Form full value, this 
: is safe here — * Be 

fst st(1) ; Copy value for compare | 
frndint _ | _+ Test if its an integer _ 
fcomp — "+ Compare values a 
fstsw ye os a Save status , 
sahf ee > C3=1 implies it was 

. 7 an integer | 
jnz convert_integer 


fstp st(0) .. . , ; Remove non integer value 
add dl ,NORMAL-EXACT ; Restore original return value | 
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Figure 20-6. Floating-Point to ASCII Conversion Routine (Contd.) 
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Scale the number to within the range allowed 
by the BCD format.The scaling operation should 
produce a number within one decimal order of 
magnitude of the largest decimal number 
representable within the given string width. 


The scaling power of ten value is in si. 


a 
adjust_result: a 
eax,esi : Setup for powl0_ 
word ptr [ebx] , ax + Set initial power 
of ten return value 
Subtract one for each order of 
magnitude the value is scaled by 
Scaling factor is 
returned as 
exponent and fraction 
fraction 3 Get fraction 
; | > Combine fractions 
esi,ecx : Form power of ten of 
the maximum Sg _ 
esi,3 : BCD value to fit in 
the string 
fild power_two 24 : Combine powers of two 
faddp st(2),st a ee 
fscale ae ; Form full value, 
exponent was safe 
fstp st(1) ; Remove exponent 


eax 


get_power_10 


—=s se se MO MS MWS 


Test the adjusted value against a table 

of exact powers of ten. The combined errors 
of the magnitude estimate and power function 

- can result in a value one order of magnitude 
too smalt or too large to fit correctly in . 
the BCD field. To handle this problem, pretest 
the adjusted value, if it is too small or 
large, then adjust it by ten and adjust the 
power of ten value. 


test_power: 


: Compare against exact power entry. Use the next 
+ entry since cx has been decremented by one 
fcom power_tablelesi]+type power_table 
fstsw ax :-No wait is necessary 
sahf » If C3 = CO = 0 then 
jb test_for_small ; too big 


fidiv const10. ; Else adjust value 
and dl,not EXACT Remove exact flag 
inc word ptr [ebx] ; Adjust power of ten value 
jmp: short in_range ; Convert the value to a BCD 
; integer 
test_for_small: 
fcom power_table[esi] : Test relative size 
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Figure 20-6. Floating-Point to ASCII Conversion Routine (Contd.) 
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No wait is necess 


If. CO = 0 then 
st(0) >= lower bound | 
in_range poo Ee Convert the value 


>: BCD integer 


fimul const10 : Adjust value into range 

dec word ptr [ebx] ; Adjust power of ten value 
in_range: AMOR ¢ . He 3 et & | 
frndint ee ee ee : Form integer value 


Pe cn 


: Assert: 0 <= TOS <= 999,999,999 ,999,999,999 

: The TOS number will be exactly representable 
s in 18 digit BCD format. © 9.7”: . 

Cc 


onvert_integer: st | 
fbstp ~‘bcd_value | ; Store as BCD format number 


While the store BCD runs, setup registers 
for the conversion to ASCII. 


=e =s se Be 


esi,BCD SIZE-2 ; Initial BCD index value 
cx,0f04h : Set shift count and mask 
ebx,1 °° > : Set initial size of ASCII 
— < » field for sign 

edi,string ptr .; Get address of start of 

: ASCII string 
ax, ds se -s Copy ds to es 
eS, ax Rab dest ee - 
Pee oe ; Set autoincrement. mode 
al,'+! ee 8, ee Clear sign field — 
dl,MINUS - .- 3; Look for negative value 
positive-result 9) 0 0 5 6 on 


al,'-! 
positive_result: 
stosb ; Bump string pointer 
; past sign 
and dl,not MINUS ; Turn off sign bit 
fwait ess Wait for fbstp to finish 


=e 


=s 


Register usage: ate ee ee | 
a ah: BCD byte value in use 
ale: ASCII character value |. 
dx: Return ‘value 
ch: BCD mask = Ofh 
els - - BCD shift count = 4 
bx: °° ASCII string field width. 
esi: ‘.. BCD field index 3 
- diz - ASCII string field pointer 
ds,es: ASCII string segment base 


=e =e @e Sse Se Be Be Be Ws WE 


Remove leading zeroes from the number. 


me 
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skip leading zeroes: 
mov ah,bcd_byteLesi] 
mov al,ah 
shr al,cl 
and al ,Ofh 
jnz enter_odd 
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: Get BCD byte 
Copy value 
Get high order digit 
Set zero flag 
Exit loop if leading 


: non zero found 


al,ah 
al,Ofh 
enter_even 


dec esi 


jns 
The significand was al 

mov al,'0! 
stosb 
inc 

jmp 


ebx 


+ digit found - 


skip_leading_zeroes 


short exit_with_value 


Get BCD byte again 
Get. low order digit 
Exit loop if non zero 


+ Decrement BCD index 


l zeroes. 
: Set initial zero 


; Bump string length 


‘ Now expand the BCD string into digit 
' 


per byte values 0-9. 
digit loop: 
mov 
mov 
shr 
enter_odd: 
add 
stosb 


ah,bcd_byte[esi] 
al,ah 
al,cl 


al,'0! 


‘+ string area 


al,ah 
al ,Ofh 
ebx 


mov 
and 
inc 
enter_even: 
add 

stosb 
inc 
dec 
.jns 


al, 'O! 


ebx 
esi 
digit_loop 


Conversion complete. 
size and remainder. 


° 
a 


exit_with_value: — oa 
edi,size_ptr 


Get BCD byte 
Get high order digit 


- Convert to ASCII 
: Put digit into ASCII 


Get low order digit 
; Bump field size counter 
; Convert to ASCII 
; Put digit into ASCII area 


: Bump field size counter 
: Go to next BCD byte 


Set the string 


word ptr [edi] ,bx 


eax, edx 

exit_proc 
floating_to_ascii endp 
code 


Figure 20-6. Floating-Point to ASCII Conversion Routine (Contd.) 


; Set return value 
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+1 $title(Calculate the value of 10**ax) 


This subeout ne will calculate the 
value of 10**eax. For values of 
QO <= eax < 19, the result will exact. 
All: registers. are transparent 
and the value is returned on the TOS 
as two numbers, exponent in ST(1) and 
fraction in ST(0). The exponent value 
can be larger than the largest 

~* exponent of an extended real format 

number. Three stack entries are used. : 


7 |e Be Be Me Ms MS Ws Ve We We We “Ws 


name get_power_10 
public get_power_10,power_table 


stackseg 8 
segment public er 


_ Use exact. values from 1.0 to 1e18. 


- even ; Optimize 16 bit access 
power_table dq ‘1.0, 1e1, 1e2, 1e3 


1e4,1e5, 1e6, 1e7 
1e8, 1e9, 1e10, 1e11 
1e12,1e15,1e14, 101 
te16, 1€17, 1€18 


get_power_10 proc 


cmp eax, 18 ; Test for 0 <= ax < 19 
ja out_of_range 


fld . power_table[eax*8]; Get exact value 
fxtract 3. Separate power 
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> and fraction 
ret + OK to leave fxtract running 


Calculate the value using the 
exponentiate instruction. The following 
relations are used: ; 

10**x = 2**(log2(10)*x) 
2**CI+F) =: ox*] * OxX*F . 
if st(1) = 1 and st(0) = 2**F then 
' fscale produces 2**(1+F) 


ut_of_range: 


fldl2t | + TOS = LOG2(10) 
enter 4,0 


» save power of 10 value, P 
mov [ebp-4] , eax 


: TOS,X = LOG2(10)*P = LOG2¢10**P) 
fimul dword ptr [ebp-4] 
fldi ; Set TOS = -1.0. 
fchs 
fld st(1) |; Copy power value 
: in base two 
frndint ; TOS = I: -inf < I <= X 
: where I is an integer 
+ Rounding mode does 


ss not matter 
fxch st(2) =; TOS = X, ST(1) = -1.0 
; ST(2) = 
fsub st,st(2) + TOS,F = X-1: 
+ -1.0 < TOS <= 1.0 


s Restore orignal rounding control 

pop eax | 

f2xm1 > TOS = 2**(F) - 1.0 

leave - Restore stack 

fsubr * Form 2**(F) 

ret - OK to leave fsubr running 


get_power_10 


code 
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Figure 20-6. Floating-Point to ASCII Conversion Routine (Contd.) 
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+1 S$title(Determine TOS register contents) 


This subroutine will return a value 
- from 0-15 in eax corresponding 
to the contents of FPU TOS. All 
registers are transparent and no 
errors are possible. The return 
value corresponds to c3,c2,c1,c0 
of FXAM instruction. 


ws Se Ms Be We Ws We Be WE 


name tos_status 
public tos_status 


stack stackseg 6 


code segment public er — 
tos_status _ proc 


fxam > + Get status of TOS register 
fstsw ax 3 Get current status | 
mov al, ah_ ~: Put bit 10-8 into bits 2-0 
and eax, 4007h : Mask out bits c3,c2,c1,c0 
shr ah, 3 | » Put bit c3 into bit 11 

or al,ah : Put c3 into bit 3 

mov ah,0 : Clear return value 

ret 


tos status endp 


code ends 
end 
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Figure 20-6.. Floating-Point to ASCII Conversion Routine (Contd.) | 
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20.3.3 Special Instructions 


The functions demonstrate the operation of several numeric instructions, different data 
types, and precision control. Shown are instructions for automatic conversion to BCD, 
calculating the value of 10 raised to an integer value, establishing and maintaining con- 
currency, data synchronization, and use of directed rounding on the FPU. 


Without the extended precision data type and built-in exponential function, the double 
precision accuracy of this function could not be attained with the size and speed of the 
shown example. 


The function relies on the numeric-BCD data type for conversion from binary floating- 
point to decimal. It is not difficult to unpack the BCD digits into separate ASCII deci- 
mal digits. The major work involves scaling the floating-point value to the comparatively 
limited range of BCD values. To print a 9- ~digit result requires accurately scaling the 
given value to an integer between 10° and 10. For example, the number +0.123456789 
requires a scaling factor of 10” to produce the value + 123456789.0, which can be stored 
in 9 BCD digits. The scale factor must be an exact Bowes of 10 to avoid changing any of 
the printed digit values. | 


These routines should exactly convert all values exactly representable in decimal in the 
field size given. Integer values that fit in the given string size are not be scaled, but 
directly stored into the BCD form. Noninteger values exactly representable in decimal 
within the string size limits are also exactly converted. For example, 0.125 is exactly 
representable in binary or decimal. To convert this floating-point value to decimal, the 
scaling factor is 1000, resulting in 125. When scaling a value, the mncuon must keep 
track of where the decimal point lies in the final decimal value. 


20.3.4 Description of Operation 


~ Converting a floating-point number to decimal ASCII takes three major steps: identify- 
ing the magnitude of the number, scaling it for the BCD data type, and converting the 
BCD data type to a decimal ASCII string. 


Identifying the magnitude of the result requires finding the value X such that the num- 
ber is represented by I x 10*, where 1.0 < I < 10.0. Scaling the number requires 
multiplying it by a scaling factor 10°, so that the result is an integer requiring no more 
decimal digits than provided for in the ASCII string. 


Once scaled, the numeric rounding modes and BCD conversion put the number in a 
form easy to convert to decimal ASCII by host software. | 


Implementing each of these three steps requires attention to detail. To begin with, not 
all floating-point values have a numeric meaning. Values such as infinity, indefinite, or 
NaN may be encountered by the conversion routine. The conversion routine should 
recopnize these values and identify them uniquely. 
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Special cases of numeric values also exist. Denormals have numeric values, but should be 
recognized because they indicate that precision was lost during some earlier calculations. 


Once it has been determined that the number has a numeric value, and it is normalized 
(setting appropriate denormal flags, if necessary, to indicate this to the calling program), 
the value must be scaled to the BCD range. 


20.3.5 Scaling the Value 


To scale the number, its magnitude must be determined. It is sufficient to calculate the 
magnitude to an accuracy of 1 unit, or within a factor of 10 of the required value. After 
scaling the number, a check is made to see if the result falls in the range expected. If not, 
the result can be adjusted one decimal order of magnitude up or down. The adjustment 
test after the scaling is necessary due to inevitable inaccuracies in the scaling value. 


Because the magnitude estimate for the scale factor need only be close, a fast technique 
is used. The magnitude is estimated by multiplying the power of 2, the unbiased floating- 
point exponent, associated with the number by log, 92. Rounding the result to an integer 
produces an estimate of sufficient accuracy. SHOU the fraction value can introduce a 
maximum error of 0.32 in the result. - 


Using: the magnitude of the value and size of the number string, the scaling factor can be 
calculated. Calculating the scaling factor is the most inaccurate operation of the conver- 
sion process. The relation 10*=2"!°&'°) is used for this function. The exponentiate 
instruction F2XM1 is used. | 


Due to restrictions on the range of values allowed dy the F2XM1 ree the power 
of 2 value is split into integer and fraction components. The relation 24 * ¥) = 2! x 2F 
allows using the FSCALE instruction to recombine the 2° ae hie through - 
F2XM1, and the 2' part. | 


20.3.5.1 INACCURACY IN SCALING 


The inaccuracy in calculating the scale factor arises because of the trailing zeros placed 
into the fraction value of the power of two when stripping off the integer valued bits. For 
each integer valued bit in the power of 2 value separated from the fraction bits, one bit 
of precision is lost in the fraction field due to the zero fill occurring in the least signifi- 
cant bits. 7 | 


Up to 14 bits may be lost in the fraction because the largest allowed floating point 
exponent value is 2'*—1. These bits directly reduce the accuracy of the calculated scale 
factor, thereby reducing the accuracy of the scaled value. For numbers in the range of 
10*°°, a maximum of 8 bits of precision are lost in the scaling process. 
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20.3.5.2 AVOIDING UNDERFLOW AND OVERFLOW 


The fraction and exponent fields of the number are separated to avoid underflow and 
overflow in calculating the scaling values. For example, to scale 10~*”*” to 10° requires a 
scaling factor of 10°", which cannot be represented by the Intel486 processor. 


By separating the exponent and fraction, the scaling operation involves adding the expo- 
nents separate from multiplying the fractions. The exponent arithmetic involves small 
integers, all easily represented by the Intel486 processor. 


20.3.5.3 FINAL ADJUSTMENTS 


It is possible that the power function (Get_Power_10) could produce a scaling value such 
that it forms a scaled result larger than the ASCII field could allow. For example, scaling 
9.9999999999999999 x 10°79 by 1.00000000000000010 x 10~*8° produces 
- 1.00000000000000009 x 10°°. The scale factor is within the accuracy of the FPU and the 
result is within the conversion accuracy, but it cannot be represented in BCD format. 
This is why there is a post-scaling test on the magnitude of the result. The result can be 
multiplied or divided by 10, depending on whether the result was too small or too large, 
respectively. | 


20.3.6 Output Format 


For maximum flexibility in output formats, the position of the decimal point is indicated 
by a binary integer called the power value. If the power value is zero, then the decimal 
point is assumed to be at the right of the rightmost digit. Power values greater than zero 
indicate how many trailing zeros are not shown. For each unit below zero, move the 
decimal point to the left in the string. | 


The last step of the conversion is storing the result in BCD and indicating where the 
decimal point lies. The BCD string is then unpacked into ASCII decimal characters. The 
ASCII sign is set corresponding to the sign of the original value. 


20.4 TRIGONOMETRIC CALCULATION EXAMPLES 


In this example, the kinematics of a robot arm is modeled with the 4 x 4 homogeneous 
transformation matrices proposed by Denavit and Hartenberg’*. The translational and 
rotational relationships between adjacent links are described with these matrices using 
the D-H matrix method. For each link, there is a 4 X 4 homogeneous transformation 


1. J. Denavit and R.S. Hartenberg, “A Kinematic Notation for Lower-Pair Mechanisms Based on Matrices,” 
J. Applied Mechanics, June 1955, pp. 215-221. 


2. C.S. George Lee, “Robert Arm Kinematics, Dynamics, and Control,” IEEE Computer, Dec. 1982. | 
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matrix that represents the link’s coordinate system (L,) at the joint (J;) with respect to 
the previous link’s coordinate system (J;_,;, L;_,). The following four geometric quanti- 
ties completely describe the. motion of any rigid joint/link pair (J;, L,), as Figure 20-7 
illustrates. | . | | | | | | 


0 = The angular displacement of the Xx, axis from the X,_, axis by rotating around the 
Z,_, axis (anticlockwise). | | 
d, = The distance from the origin of the (i-1)"" coordinate system along the z;., axis 
to the x; axis. ~ | 


a; = The distance of the origin of the i coordinate system from the z;., axis along 
the —x; axis. | | 
a; = The angular displacement of the z; axis from the z;., about the x; axis 


- ri — (anticlockwise). — 


| 


Z 
~~ 


JOINT, 


an 


Figure 20-7. Relationships Between Adjacent Joints 


240486i20-7 
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The D-H transformation matrix AL for adjacent coordinate frames (from joint,., to 
joint, is calculated as follows: 


Aa Tak P< Tee kT 


X, 


where: 
Th represents a translation along the z,., axis 
T,9 represents a rotation of angle 8 about the z;., axis 
i eee represents a translation along the x; axis — 
Ty0 represents a rotation of angle a about the x; axis 
COS 6, —COS a; SIN 8; SIN a; SIN 6; COS 6, 
oe SIN 6; COS a; COS 6; —SIN a; COS 6; SIN 6; 
a 0 SIN a; — COS a i d; 
0 0 O | 1 


The composite homogeneous matrix T which represents the position and orientation of 
the joint/link pair with respect to the base system is obtained by successively multiplying 
the D-H transformation matrices for adjacent coordinate frames. 


TL = AL x Af Xx... x AL, 
oO 0 1 i 


This example in Figure 20-8 illustrates how the transformation process can be accom- 
plished using the floating-point capabilities of the Intel486 processor. The program con- 
sists of two major procedures. The first procedure TRANS_PROC is used to calculate 
the elements in each D-H matrix, At). The second a MATRIXMUL_PROC 
finds the product of two successive D-H matrices. . 
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Name ROT_MATRIX_CAL 


* This example illustrates the use 

; of the i486 floating point 

- instructions, in particular, the 

* FSINCOS function which gives both 
= the SIN and COS values. 

; The program calculates the 

; composite matrix for base to end- 
- effector transformation. | 


* Only the kinematics is considered in 
this example. 


If the composite matrix mentioned above 
is given by: | 

Tin =:A1 x A2 x ..s X An 

Tin is found by successively calling 
trans_proc and matrixmul_pro until 

all matrices have been exhausted. 


trans_proc calculates entries in each— 
ACA1,...,An) while matrixmul_proc 
performs the matrix multiplication for 
Ai and Ai+1. matrixmul_proc in turn 
calls matrix_row and matrix_elem to 
do the multiplication. 


ee oe Be Bs Be We Bs We We Be We We We Be We =e @& = = = - = = = 


-: Define stack space 
trans_stack stackseg 400 


: Define the matrix structure for 
: 4X4 transformational matrices 


a_matrix struc 


ait dq ? 
ai2 dq ? 
ai3 dq ? 
al4 dq ? 
a2 dq? 
a22 dq ? 
a23 dq ? 
a24 dq ? 
a31 dq Oh 
a32 dq ? 
a33 dq ? 
a34 dq ? 
a41 dq Oh 
a42 dq Oh 
a43 dq Oh 
a44 dq 1h 


Figure 20-8. Robot Arm Kinematics Example 
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a_matrix -ends 


- Assume One joint in the storage 

- allocation and hence for 

- two sets of parameters; however, | 
- more joints are possible 


alp_deg struc 

| alpha_degi dd ? 
alpha _deg2 dd ? 

alp deg ends 


tht_deg struc 
theta_deg1 dd 
theta_deg2 dd 
tht_deg ends | 


A_array struc. 
Al 
a A2 | 
A_array ends 


D_array struc 
D1 
D2 
D_array ends 
; trans_data is. the data segment 
. 
trans data © —s segment _ rw public 
Am a_matrixe 
Bmx a matrix<> 
Tmx a_matrix<> 
ALPHA_DEG ‘alp_deg<> 
THETA_DEG  tht_deg<> 
A_VECTOR A_array<>_ 
D_VECTOR D_array<> 


' ZERO dd 
‘di80°==——sti‘iés 
~ NUM_JOINT equ 
NUM ROW equ 
NUM_COL  =——s equ = 
REVERSE = =— db 
trans_data ends > 


assume §_ds:trans_data, es:trans_data 
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Figure 20-8. Robot Arm Kinematics, Example (Contd.) ° 
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: trans_code contains the procedures 
: for calculating matrix elements and 
; matrix multiplications — 


trans_code § segment er public 
trans proc proc far 


Calculate alpha and theta in radians 
- from their values in degrees 


fldpi 
fdiv d180 


Duplicate pi/180 
fld st 


fmul qword ptr ALPHA_DEG{ecx*8] © 
fxch st(1) 
fmul qword ptr THETA_DEG[ecx*8] 


theta(radians) in ST and 
alpha(radians) in ST(1) 


me *e 


Calculate matrix elements | 
ail = cos theta . 

ai2 = - cos alpha * sin thet 
al3 = sin alpha * sin theta — 
ai4 = A * cos theta 
a2i = sin theta 

a22 = cos alpha * cos theta 
a23 = -sin alpha * cos theta 
a24 = A * sin theta he 
a32 = sin alpha 

a33 = cos alpha 

a34 = D- 

a31 = a41 = a42 

a44 _ 


s 
J 
e 
a 
e 
& 
e 
a 
® 
a 
s 
a 
e 
a 
® 
a 
r 
a 
e 
s 
e 
‘ 
e 
s 
e 
c 
r 
a 


ebx contains the offset for the matrix 


fsincos scos theta in ST 
ssin theta in ST(1) 

fld st sduplicate cos theta 
fst Cebx].a11 ;cos theta in ail 
fmul quord ptr A_VECTOR [ecx*8] 

fstp Cebx] .a14 ;A * cos thetain al4 
fxch st(1). ssin theta in ST 

fst {ebx] .a21 ssin theta in a21 
fld st sduplicate sin theta 
fmul  qword ptr A_VECTOR [ecx*8] 

fstp {ebx].a24 ;A * sin theta in a24 
fld = st¢2) _talpha in ST 
_fsincos “*scos alpha in ST 
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zsin alpha in 
ssin theta in 
scos theta in 
Cebx] .a33 ;cos alpha in 
st(1) 7sin alpha in 
Cebx] .a32 ;sin alpha in 
ST(2) = ;ssin theta in 
sin alpha in 
st,st(1) j;sin alpha * sin theta 
{ebx] .a13 ;stored in a13 
st,st(3) ;cos theta * sin alpha 
s;-cos theta * sin alpha 
Cebx] .a23 ;stored in a23 
st(2) ;cos theta in ST 
;cos alpha in ST(1) 
ssin theta in ST(2) 
;cos theta in ST(3) 
fmul st,st(1) ;cos theta * cos alpha 
fstp [ebx] .a22 ;stored in a22 
fmul st,st(1) ;cos alpha * sin theta 


To take advantage of parallel operations 
between the IU and FPU 7 


push eax 3; save eax 


also move D into a34 in a faster way 

eax, dword ptr D_VECTOR [ecx*8] 

dword ptr [ebx + 88], eax 

eax, dword ptr D_VECTOR[ecx*8 + 4} 

dword ptr [ebx + 92], eax 

eax ; restore eax 
3-cos alpha * sin theta 

Cebx].al2 ;stored in al2 
sand all nonzero elements 
shave been calculated 


trans_proc endp 


matrix_elem proc far 


This procedure calculate the dot product 
of the ith row of the first matrix and 
the jth column of the second matrix: 


Tij where Tij = sum of Aik x Bki over k 


parameters passed from the calling routine, 
matrix_row: 

ESI = (i-1)*8 

EDI = (j-1)*8 

local register, EBP = (k-1)*8 


=e Se Se Be Ve We We Bo Be We Bs WS 
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Figure 20-8: Robot Arm Kinematics Example (Contd.) 


20-29 


intel o NUMERIC PROGRAMMING EXAMPLES 


push — _ebp 7 save ebp 
push ine ecx. = 3 ecx to be used as a tmp reg 
mov ecx, ‘esi; save it for later indexing 


beeeting the element in the first:matrix, A 

imul ecx, NUM COL’ '; ecx contains offset due 
ti °°» to preceding rows; the 

offset is from the 

beginning of oo matrix 


Do 


=e “ep Ge Be. 


; clear ebp, which will be 
; used a temp reg to index( k) 
; across the ith row of the first 
“: matrix as well as down the jth 
7 column of the second matrix 


- clear Ti for accumulating Aik*Bkj 
mov ‘“dword ptr [edx ] Ledi] ,ebp 
mov °  ‘dword ptr fedx] Ledi+4] , ebp 


push’ ecx — ; Save on stack: esi * num_col = 
‘: the offset of the beginnging 
7 of the ith row from the | 
beginning of the A matrix 


add eCx, eb ; : get to the kth column entry 


: of ‘the en row of ‘the A matrix 


load Aik into FPU- 
fld ar8 ptr Ceax] [ecx] ss 


. locating Bkj 

mov’ - ecx, ebp- ; : 
imul CCX, NUM_ ROW 7 ecx contains the offset 
ge ee ‘of the beginning of the 
“kth row from the 
beginning of the B matrix 
get to the aes Eom 


me ™@s Be Ge Ne 


ecx, edi 


of the kth row of the B 
so 5 matrix 
fmul qword ptr Lex) fecx] ; ‘Aik * Bkj. 
“pop ecx 7 esi * num_ col 
Beaty nayeeee «Ae “s in ecx: again ~ 
push ecx ~  - 3 also at OP of: program 
| ¢ stack © | 


=e 


> add to the result in the output matrix, 143 : 
-, ecx, edi 


: aeragiattes ‘ie sum of Aik * Bkj 
fadd qword ptr [edx][ecx] | 
fstp qword ptr [edx] [ecx] - 7 
- increment k by 1, i.e., ebp by 8°: 
add ebp, 8 
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Has k reached the width of the matrix yet? 
cmp ebp, NUM COL*8 — 
jl NXT_k 


Restore registers 

pop ecx ; clear esi*num_col from stack 
pop ecx * restore ecx 
’ 


pop ebp restore ebp 
ret 


matrix_elem endp 


matrix_row proc far 


xor edi, edi 
s scan across a row 


NXT_COL: 
call matrix_elem 
add edi, 8 
cmp edi, NUM_COL*8 
jl NXT_COL 
ret 


matrix_row endp 


matrixmul_proc proc far 


This procedure does the matrix 
multiplication by calling matrix_ row 
to calculate entries in each row 


The matrix ‘multiplication is 
performed in the following manner, 
Tij = Aik x Bkj | 
where i and j denote the row and column — 
> respectively and k is the index for 
* scanning across the ith row of the 
> first matrix and the jth column of the 
; second matrix. | 
mov ebp, esp ;use base pointer for indexing 
mov — edx, dword ptr [ebp +4] ‘offset Tmx in edx 
mov — ebx, dword ptr [ebp +8} ‘offset Bmx in ebx 
mov eax, dword ptr [ebp= 12] ;offset Amx in eax 
: setup esi and edi | 
; edi points to the column 
; esi points to the row — 


1) 2 = = =e &@e @e Bs Bs Be Be Be 


xor esi, esi ; clear esi 


NXT_ROW: — 
call matrix_row 
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Figure 20-8. Robot Arm Kinematics Example (Contd.). 
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add . esi, 8 WS dae GREE 

cmp esi, NUM_ROW*S 

jl NXT_ROW — e 
ret 12 ;pop off matrix pointers 


matrixmul_proc endp 


trans_code ends 
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Main program 
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main_code segment er 
START: 


mov esp, stackstart trans_stack 
save all registers 


pushad 


ECX denotes the number of joints 
where no of matrices.= NUM_JOINT + 1 
Find the first matrix( from the. base 
of the system to. the. first joint) . 
and call it Bmx 

xor e@CX, e@CX 7 (st matrix | 
mov ebx,. offset, Bmx fj. 
call trans_proc is Bm 
inc. ecx - 


=e Se Be Be BE 


NXT_MATRIX: 
From the. 2nd matrix ‘and on, it. | 
will be stored in Am. — ne 
The result from the first matrix mult. . 
is: stored in Tmx but will be accessed | 
‘as Bmx in the next multiplication. 
CAS. a matter of fact, the roles ‘of Bmx 
and Tmx alternate in successive 
multiplications. This, is achieved by - 
reversing the order of. the Bmx and Tmx . 
pointers being passed onto the program 
stack. Thus, this is invisible to the 
matrix multiplication procedure. 
REVERSE serves as the indicator; 
REVERSE = 0 means that the result 

is to placed in Tmx. 


me se Me Be Tse Be Ne BE ma Se Mee he =s @s 
: : 


Figure 20-8. :Robot:Arm Kinematics Example. (Contd:) 
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mov ebx, offset Amx ;find Amx 
call trans_proc 

inc ecx 

xor REVERSE, 1h 

jnz Bmx_as_Tmx 


* no reversing. Bmx as the second input 
; matrix while Tmx as the output matrix. 
push offset Amx 
push offset Bmx 
push offset Tmx 
jmp CONTINUE 


: reversing. Tmx as the second input 
; matrix while Bmx as the output matrix. 
Bmx_as_Tmx: 
push offset Amx 
push offset Tmx j;reversing the 
push offset Bmx j;pointers passed 


CONTINUE: 
call matrixmul_proc 
cmp ecx, NUM JOINT 
jle NXT_MATRIX 


: if REVERSE = 1 then the final answer 
; will be in Bmx otherwise, in Tmx. 


popad 
main_code ends 


end START, ds:trans data, ss:trans_stack 
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Figure 20-8. Robot Arm Kinematics Example (Contd.) 
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CHAPTER 21 
EXECUTING 286 AND 
Intel386 DX OR SX CPU PROGRAMS 


In general, programs written for protected mode on a 286 processor run without modi- 
fication on the Intel486 processor. The features of the 286 processor are an object-code 
compatible subset of those of the Intel486 processor. The Default bit in segment descrip- 
tors indicates whether the processor is to treat a code, data, or stack segment as a ae or 
Intel386/Intel486 CPU segment. . 


To software, the features of the Intel386 DX or SX processors are virtually identical to 
the Intel486 processor. For the most part, the differences are in the underlying hardware 
implementation. 


The segment descriptors used by the 286 processor are supported by the Intel486 pro- 
cessor if the Intel-reserved word (highest word) of the descriptor is clear. On the 
Intel486 processor, this word includes the upper bits of the base address and the seg- 
ment limit. 


The segment descriptors for data segments, code segments, local descriptor tables (there 
are no descriptors for global descriptor tables), and task gates are the same for the 286, 
Intel386, and Intel486 processors. Other 286 CPU descriptors (TSS segment, call gate, 
interrupt gate, and trap gate) are supported by the Intel486 processor. The Intel486 
processor also has descriptors for TSS segments, call gates, interrupt gates, and trap 
gates which support the 32-bit architecture of the Intel486 processor. Both kinds of 
descriptors can be used in the same system. 


For those segment descriptors common to both the 286 and Intel486 processors, clear 
bits in the reserved word cause the Intel486 processor to interpret these descriptors 
exactly as a 286 processor does; for example: 


Base Address—The upper eight bits of the 32-bit base address are clear, which limits 
base addresses to 24 nol , | 


Limit ~The upper four bits of the limit field are clear, restricting | the value of the limit 
field to 64K bytes. | 


Granularity bit — The Granularity bit is clear, means | the value of the 16-bit limit is 
interpreted in units of 1 byte. 


Big bit—In a data-segment descriptor, the B bit is clear, indicating the segment is no 
larger than 64 Kbytes. 


Default bit—In an code-segment descriptor, the D bit is clear, indicating 16-bit address- 
ing and operands are the default. In a stack-segment descriptor, the D bit is clear, 
_ Indicating use of the SP oes (instead of the ESP register) and a 64K me maximum 
segment limit. 
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For formats of these eos and documentation of their use see the idPX 286 ae 
grammer ’s Reference Manual. | 


21.1 TWO WAYS TO RUN 286 CPU TASKS 


When porting 286 programs to the Intel486 processor, there are two "approaches, to 
consider: | | 


1. Banas an entire 286 sofaaie apie to the Intel486 processor, complete with the 
old operating system, loader, and system builder. 


— In this case, all tasks will have 286 TSSs. The Intel486 processor is being used as if it 
_ were a faster version of the 286 processor. — 


2. Porting selected 286 applications to run in an Intel486 CPU processor ‘environment 
with an Intel486 CPU operating system, loader, and system builder. ' 4 


In this case, the TSSs used to represent 286 tasks should be changed to Intel486 

~ CPU TSSs. Tt is possible to mix 286 and Intel486 CPU TSSs, but the benefits are 

small and the problems are great. All tasks in an Intel486 CPU software system 

should have Intel486 CPU TSSs. It is not necessary to change the 286 object mod- 

~~ ules.themselves; TSSs are usually constructed by the operating system, by the loader, 

~ or by the system builder. See Chapter 24 for more cle of the interface 
a between 16- a and 32- ‘bit code. 4 


1.2 DIFFERENCES FROM 286 CPU 


The few. differences between the 286 and Intel486 processors affect operating syste 
more ;than application programs. . | a 


21.2.1 Wraparound of 286 Processor 24-Bit Physical Address Space 


With the 286 processor, any base and offset combination which addresses beyond 
16,megabytes wraps. around to the first megabyte of the address space. With the Intel486 
processor, because it has a greater physical address space, any such address maps to the 
17th megabyte. In the unlikely event that any software depends on address wraparound, 
the same effect can be simulated on the Intel486 processor by using paging to map the 
first 64K bytes past the top of the 16- -megabyte address space to the bottom 64K bytes of 
the segment. 


21.2.2 ‘Heselved word of a Beene 


Bedise the Intel486 | processor uses the contents of the bescnied soni of 286 eacnt 
descriptors, 286 programs which place values in this word may not run coreely on the 
Intel486 processor. 
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21.2.3 New Segment Descriptor Type Codes 


Operating-system code which manages space in descriptor tables often uses an invalid 
value in the access-rights field of descriptor-table entries to identify unused entries. 
Access rights values of 80H and 00H remain invalid for both the 286 and Intel486 pro- 
cessors. Other values which were invalid on the 286 processor may be valid on the 
Intel486 processor because uses for these bits are defined for the Intel486 processor. 


21 2.4 Restricted Semantics of Lock Prefix 


The 286 processor performs the bus lock feign differently ‘ide the Intel486 proces- 
sor. Programs which use forms of memory locking specific to the 286 processor may not 
run properly when run on the Intel486 processor. 


The LOCK prefix and its bus signal only should be used to prevent other bus masters 
from interrupting a data movement operation. The LOCK prefix only may be used with 
the following Intel486 instructions when they modify memory. An invalid-opcode excep- 
tion results from using the LOCK prefix before any other instruction, or with these 
instructions when no write operation is made to memory (i.e., when the destination 
operand is in a register). 


e Bit test and change: the BTS, BTR, and BTC instructions. 


e Exchange: the XCHG, XADD, and CMPXCHG instructions (no LOCK peels is 
needed for the XCHG instruction). 


° One- -operand arithmetic and logical: the INC, DEC, NOT, NEG instructions. 


e Two-operand arithmetic and logical: the ADD, ADC, SUB, SBB, AND, OR and 
XOR instructions. 


A locked instruction is guaranteed to lock only the area of memory defined by the 
destination operand, but may lock a larger memory area. For example, typical 8086 and 
286 configurations lock the entire physical memory space. 


On the 286 processor, the LOCK prefix is sensitive to IOPL; if CPL is less privileged 
than the IOPL, a general protection exception is generated. On the Intel386 DX and 
Intel486 processors, no check against IOPL is performed. 


21.2.5 Additional Exceptions 


The Intel386 and Intel486 processors have new exceptions which can occur even in 
systems designed for the 286 processor. 


e Exception #6—invalid opcode _ 
This exception can result from improper use of the LOCK instruction prefix. 
e Exception #14—page fault 


_ This exception may occur in a 286 program if the operating system enables paging. 
Paging can be used in a system with 286 tasks if all tasks use the same page directory. 
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Because there is no place in a 286 TSS to store the PDBR register, switching to a 286 
task does not change the value of the PDBR register. Tasks ported from the 286 
_ processor should be given Intel486 CPU TSSs so they can make full use of paging. © 


21.3 DIFFERENCES FROM Intel386 CPU — 


Very few differences exist between the programming models of the Intel386 DX or SX 
and Intel486 processors. The Intel486 processor defines new bits in the EFLAGS, CRO, 
and CR3 registers, and in entries in the first- and second-level page tables. On the 
Intel386, processors, these bits were reserved, so the new architectural features should 
not be a compatibility issue. 7 . 7 7 , 


21 3. 1 New Flag 


The AC flag (bit position 18), in conjunction with the AM bit in the CRO register, 
controls alignment checking. | 2 


21.3.2 New Exception | 


The ieamere wieee exception (exception vector 17) reports unaligned memory: refer- 
ences when alignment eneckne is being pertonneg: 


: 21.3.3 New Insiructions 


There are three new application instructions: : 
e BSWAP instruction 

* XADD iotichion 

e CMPXCHG instruction 


There are three new system instructions, used for managing. the cache and TLB: 

e INVD instruction — 

e WBINVD instruction 

e INVLPG instruction 

The form of the MOV instruction used to access the test registers has changed. New test 


— registers have been defined for the cache, and the model of the ee accessed through 
the test registers has changed. , 7 bang 
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21.3.4 New Control Register Bits 


Five new bits have been defined in the CRO register: 
eo NE bit 
o WP bit 
e AM bit 
o NW bit 
e CD bit 


Two new bits have been defined in the CR3 register: 
0 PCD bit 
o PWT bit 


21.3.5 New Page-Table Entry Bits 


Two bits have been defined in page table entries for controlling caching of pages: 
0 PCD bit | 
o PWT bit 


21.3.6 Changes in Segment Descriptor Loads 
On the Intel386 processors, loading a segment descriptor would always cause a locked 


read and write to set the accessed bit of the descriptor. On the Intel486 processor, the 
locked read and write occur only if the bit is not already set. 
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CHAPTER 22. 
REAL-ADDRESS MODE 


The real-address mode of the Intel486 processor runs programs written for the 8086, 
8088, 80186, or 80188 processors, or for the real-address mode of a 286 or Intel386 
processor. 


The architecture of the Intel486 processor in this mode is almost identical to that of the 
8086, 8088, 80186, and 80188 processors. To a programmer, an Intel486 processor in 
real-address mode appears as a high-speed 8086 processor with extensions to the instruc- 
tion set and registers. The principal features of this architecture are defined in Chapters 
2 and 3. 


This chapter discusses certain additional topics which complete the system programmer S 
view of the Intel486 processor in tea address mode: 

e Address formation. 

e Extensions to registers and instructions. 

e Interrupt and exception handling. 

e Entering and leaving real-address mode. 

o Real-address mode exceptions. 

0 Differences from 8086 processor. 

e Differences from 286 processor in real-address mode. 

e Differences from Intel386 processors in real-address mode. 


e Processor detection code 


22.1 ADDRESS TRANSLATION 


In real-address mode, the Intel486 processor does not interpret 8086 selectors by refer- 
ring to descriptors; instead, it forms linear addresses as an 8086 processor would. It shifts 
the selector left by four bits to form a 20-bit base address. The effective address is 
extended with four clear bits in the upper bit positions and added to the base address to 
create a linear address, as shown in Figure 22-1. 


Because of the possibility of a carry, the resulting linear address may have as many as 21 
significant bits. An 8086 program may generate linear addresses anywhere in the range 0 
to 1OFFEFH (1 megabyte plus approximately 64K bytes) of the linear address space. 
Because paging is not available in real-address mode, the linear aeesS 1S used as the 
physical address. | 


Unlike the 8086 and 286 processors, but like the Intel386 processors, the Intel486 pro- 


cessor can generate 32-bit effective addresses using an address override prefix; however 
in real-address mode, the value of a 32-bit address may not exceed 65,535 without 
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Figure 22-1 . 8086 Address Translation 


causing an exception. For full compatibility with 286 real-address mode, pseudo- 
protection faults (interrupt 12 or 13 with no error code) occur if an effective address i 1S 
generated outside the range 0 through 65 935. 


22.2 REGISTERS AND INSTRUCTIONS 


The register set available in real-address mode includes all the registers defined for the 
8086 processor plus the new registers introduced with the’ Intel386 processor and 
Intel387 coprocessor: FS, GS, debug registers, control registers, test registers, and 
floating-point unit registers. New instructions which explicitly operate on the segment 
registers FS and GS are available, and the new segment-override prefixes can be used to 
cause instructions to use the FS and GS registers for address calculations. 


The instruction codes which generate invalid-opcode exceptions include instructions 
from protected mode which move or test Intel486 CPU segment selectors and segment 
descriptors, i.e., the VERR, VERW, LAR, LSL, LTR, STR, LLDT, and SLDT instruc- 
tions. Programs executing in real-address mode are able to take advantage of the new 
application-oriented instructions added to the architecture with the ynecuchon of the 
80186, 80188, 80286, Intel386 DX, SX and Intel486 processors: 7 as, 


¢ New instructions introduced on the 80186, 80188, and 286 processors. 
 — PUSH immediate data. 3 
fae Push all and pop all (PUSHA and 1 POPA) 
= | Multiply immediate data. | sae 
— Shift and rotate by iminediaté count | 
— String 1/O a 
os ENTER and LEAVE instructions - : 
_ BOUND: instruction ~~ ee 
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e New instructions introduced on the Intel386 DX processor. 
_— LSS, LFS, LGS instructions 
- Long- displacement conditional j jumps 
— Single-bit instructions 
— Bit scan instructions 
— Double-shift instructions 
— Byte set on condition instruction 
— Move with sign/zero extension 
— Generalized multiply instruction 
— MOV to and from control registers 
— MOV to and from test registers | 
— MOV to and from debug registers 
e New instructions introduced on the Intel486 processor. 
— BSWAP instruction a | 
— XADD instruction 
— CMPXCHG instruction _ 
— INVD instruction (privileged) 
— WBINVD instruction (privileged) 
-— INVLPG instruction eee, 


22.3 INTERRUPT AND EXCEPTION HANDLING . 


Interrupts and exceptions in Intel486 CPU real- address mode work much as they do on 
an 8086 processor. Interrupts and exceptions call interrupt procedures through an inter- 
rupt table. The processor scales the interrupt or exception identifier by four to obtain an 
index into the interrupt table. The entries of the interrupt table are far pointers to the 
entry points of interrupt or exception handler procedures. When an interrupt occurs, the 
processor pushes the current values of the CS and IP registers onto the stack, disables 
interrupts, clears the TF flag, and transfers control to the location specified in the inter- 
rupt table. An IRET instruction at the end of the handler procedure reverses these steps 
before returning control to the interrupted procedure. Exceptions do not return error 
codes in real-address mode. 


The primary difference in the interrupt handling of the Intel486 processor compared to 
the 8086 processor is the location and size of the interrupt table depend on the contents 
of the IDTR register. Ordinarily, this fact is not apparent to programmers, because, after 
reset initialization, the IDTR register contains a base address of 0 and a limit of 3FFH, 
which is compatible with the 8086 processor. However, the LIDT instruction,can be used 
in real-address mode to change the base and limit values in the IDTR register. See 
Chapter 9 for details on the IDTR register, and the LIDT and SIDT instructions. If an 
interrupt occurs and its entry in the interrupt table is beyond the limit stored in the 
IDTR register, a double-fault exception is generated. 7 
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22.4 ENTERING AND LEAVING REAL-ADDRESS MODE 


Real-address mode is in effect after reset initialization. Even if the system is going to run 
in protected mode, the start-up program runs in real-address mode while preparing to 
syatcn to protected mode. 


22.4.1 Switching to Protected Mode 


The only way to leave real-address mode is to switch to protected mode. The processor 
enters protected mode when a MOV to CRO instruction sets the PE (protection enable) 
bit in the CRO register. (For compatibility with the 286 processor, the LMSW instruction 
also may be used to set the PE bit.) | 


See Chapter 10 “Initialization” for other aspects of switching to protected mode. 


22.5 SWITCHING BACK TO REAL-ADDRESS MODE 


The processor re-enters real-address mode if software clears the PE bit in the CRO 
register with a MOV CRO instruction (for compatibility with the 286 processor, the 
LMSW instruction can set the PE bit, but cannot clear it). A proceaute which re-enters 
real-address mode should proceed as follows: | ar 


1. If paging is enabled, perform the following sequence: 


e Transfer control to linear addresses which have an identity mapping; i.e., linear 
addresses equal physical addresses. Ensure GDT and IDT are in identity maps. 


e Clear the PG bit in the CRO register. — 
e Move a 0 into the CR3 register to flush the TLB. 


2. Transfer control to a segment which has a limit of 64K (OFFFFH). This loads the CS 
register with the segment limit it needs to pee in real mode. Ensure GDT and IDT 
are in real memory. _ = 


oF Load segment registers SS, DS, ES, FS, and GS with a selector for. a descriptor 
_ containing the following values, which are appropriate for real mode: | 


e Limit =.64K | ae 
-e ‘Byte granular = (G =0) — 


e Expand up 7 (E = 0) 
e Writable (W = 1) 
e Present =~ =P =)" 


@ Base = = any value. 


‘Note that if the segment registers are not belonced: execution continues mene the 
descriptors loaded during protected mode. © : | 


4. Disable interrupts. A CLI instruction disables INTR interrupts. NMI 1 interrupt can 
a be disabled with external circuitry. | | 2 | ee 


5. Clear the PE bit in the CRO register. - 
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6. Jump to the real mode program using a far JMP instruction. This flushes the instruc- 
tion queue and puts appropriate values in the access rights of the CS register. 


7. Use the LIDT instruction to load the base and limit of the real-mode interrupt 
vector table. | 


8. Enable interrupts. , 
9. Load the segment registers as needed by the real-mode code. 


22.6 REAL-ADDRESS MODE EXCEPTIONS 


The Intel486 processor reports some exceptions differently when executing in real- 
address mode than when executing in protected mode. Table 22-1 details the real- 
pereee: mode exceptions. | 


22.7 DIFFERENCES FROM 8086 CPU 


In general, the Intel486 processor in real-address mode will correctly run ROM-based 
software designed for the 8086, 8088, 80186, and 80188 processors. Following is a list of 
the minor differences between program execution on the 8086 and a processors. 


1. Instruction clock counts. 


The Intel486 processor takes fewer sibeks at most instructions than ue 8086 pro- 
cessor. The areas most likely to be affected are: . 


o Delays required by I/O devices between I/O operations. 
eo Assumed delays with 8086 processor operating in parallel with an 8087. 
2. Divide-error exceptions point to the DIV instruction. | 


Divide-error exceptions on the Intel486 processor always leave the saved CS:IP 
value pointing to the instruction which failed. On the 8086 processor, the CS:IP 
value points to the next instruction. 


3. Undefined 8086 processor opcodes. 


Opcodes which were not defined for the 8086 processor generate an invalid-opcode 
exception or execute one of the new instructions introduced with the 286, Intel386 
DX or Intel486 processors. 


4. Value written by PUSH SP. 


The Intel486 processor pushes a different value on the stack for a PUSH SP instruc- 
- tion than the 8086 processor. The Intel486 processor pushes the value of the SP 
register before it is decremented as part of the push operation; the 8086 processor 
pushes the value of the SP register after it is decremented. If the value pushed is 
important, replace PUSH SP instructions with the following three instructions: 


PUSH BP. 
Mov BP, SP 
XCHG BP, (BP] 


This code functions as the 8086 processor PUSH SP instruction on the Intel486 
processor. | 
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Divide Error 
Debug 
Breakpoint 
Overflow 
Bounds Check 
Invalid Opcode 


Device not 
available 


Double Fault 


| Reserved 
Invalid Task State 


Segment? 


Segment not 
present? © 


Stack Exception 


CS, DS, ES, FS, 
GS 


Segment Overrun 


Page Fault® 


Reserved 


Floating-Point Error 
Alignment Check 


Intel Reserved 


Software Interrupt 


eran | | | : 
. Some debug exceptions point to the faulting i instruction, others point to the féllowine instruction. The 
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Table 22-1. Exceptions and Interrupts | 


Vector 


14 


15 

16 

17 
18-31 


“0 to 255 


Source of the 
Exception 


DIV and IDIV instructions 
any 

INT instruction 

INTO instruction 

BOUND instruction 


reserved opcodes and 
improper use of LOCK prefix 


ESC or WAIT instructions 


Interrupt table limit too small, 


fault occurring while handling 
another fault - 


JMP, CALL, IRET 
instructions, interrupts and 
exceptions 


any. instruction which 
changes segments 


stack operation crosses 
address limit (beyond offset 
OFFFFH) 


Word memory reference 
beyond offset OFFFFH. An 
attempt to execute past the 
end of CS segment. 


any instruction that 
references memory. 


ESC or WAIT instructions 
Any data reference 


INT n instructions 


Does the Return Address 
~ Point to the 


Instruction Which Caused 


the Exception? 


exception handler can test the DR6 register to determine which has occurred. 


2. Floating-point errors are reported on the first ESC or WAIT instruction after the ached instruction which 
generated the error. | 
3. ie ae 10, 11, 14 and 17 will not occur in Real Mode, but are possible in VM86 miedé. 
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. Shift or rotate by more than 31 bits. 


The Intel486 processor masks all shift and rotate counts to the lowest five bits. This 
MOD 32 operation limits the count to a maximum of 31 bits, which limits the 
amount of time that interrupt response may be delayed while the instruction is 
executing. 


. Redundant prefixes. 


The Intel486 processor sets a limit of 15 bytes on instruction length. The only way to 
violate this limit is by putting redundant prefixes before an instruction. A general- 
protection exception is generated if the limit on instruction length is violated. The 
8086 processor has no instruction length limit. 


. Operand crossing offset 0 or 65,535. 


On the 8086 processor, an attempt to access a memory operand which crosses offset 
65,535 (e.g., MOV a word to offset 65,535) or offset 0 (e.g., PUSH a word when SP > 
= 1) causes the offset to wrap around modulo 65,536. The Intel486 processor gen- 
erates an exception in these cases: a general-protection exception if the segment is a 
data segment (i.e. if the CS, DS, ES, FS, or GS register is being used to address the 
segment) or a stack exception if the segment is a stack segment (i. a if the SS 


_ register is being used). 


. Sequential execution across offset 65,535. 


On the 8086 processor, if sequential execution of instructions proceeds past offset 
65,535, the processor fetches the next instruction byte from offset 0 of the same 
segment. On the Intel486 processor, the processor generates a eee protection 


exception in such a case. 


10. 


. LOCK is restricted to sapien instructions. 


The LOCK prefix and its output signal should only be used to prevent other bus 
masters from interrupting a data movement operation. The LOCK prefix only may 
be used with the following Intel486 CPU instructions when they modify memory. An 
invalid-opcode exception results from using LOCK before any other instruction, or 
with these instructions when no write operation is made to memory. 


e Bit test and change: the BTS, BTR, and BTC instructions. 

e Exchange: the XCHG, XADD, and CMPXCHG instructions (no LOCK prefix is 
needed for the XCHG instruction). 

oe One-operand arithmetic and logical: the INC, DEC, NOT, NEG instructions. 


e Two- -operand arithmetic and wens the ADD, ADC, SUB, SBB, AND, OR, and 
_. XOR instructions. 


Single-stepping external interrupt handlers. 


The priority of the Intel486 CPU single-step exception is different from the 8086 
processor. The change prevents an external interrupt handler from being single- 
stepped if the interrupt occurs while a program is being single-stepped. The Intel486 
CPU single-step exception has higher priority than any external interrupt. The 
Intel486 processor still may single-step through an interrupt handler called by the 
INT instructions or by an exception. — 
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IDIV exceptions for quotients of 80H or 8000H. , 
The Intel486 processor can generate the largest negative number as a quotient for 


_ the IDIV instruction. The 8086 processor generates a divide-error i instead. 


12. 


Flags in stack. 


The setting of the flags stored by the PUSHF instruction, by interrupts, a by 
exceptions is different from that stored by the 8086 processor in bit positions 12 
through 15. On the 8086 processor these bits are set, but in the Intel486 CPU | 
real-address mode, bit 15 is always clear, and bits 14 through 2 nave the last value 


~ loaded into them. 


TS: 


14. 


NMI interrupting NMI handlers. 


After an NMI interrupt is recognized by the Intel486 processor, the NMI interrupt. 
is masked until an IRBT instruction is executed. — 


Floating- -point errors Seal the floating- point error exception. i 


- Floating- point exceptions on the Intel486 processor call the floating-point. error 


15. 


16. 


17. 


- exception handler. If an 8086 processor uses another exception for the 8087 inter- 


rupt, both exception vectors should call the floating-point error exception handler. 
The Intel486 processor has signals which, with the addition of external logic, support 
user-defined error reporting for emulation of the interrupt mechanism used in many 
personal computers. 


‘Numeric exception handlers should allow prefixes. 


On the Intel486 processor, the value of the CS and IP registers saved for floating- 
point exceptions points at any prefixes which come before the ESC instruction. On 
the 8086 processor, the saved CS:IP points to the ESC instruction. 


Floating- -Point Unit does not use interrupt controller. 


The floating-point error signal to the Intel486 processor does not pass ‘rough an 
interrupt controller (an INT signal from 8087 coprocessor does). Some. instructions 
in a floating-point error exception handler may need to be deleted if they use the 
interrupt controller. The Intel486 processor has signals which, with the addition of 


external logic, support user- -defined error reporting for emulation of the interrupt 
mechanism used in many personal computers. 


Seven new interrupt vectors. 


The Intel486 processor adds seven exceptions which are generated on an 8086 pro- 
cessor only by program bugs. Exception handlers should be added which treat these 
exceptions as invalid operations. This additional software does not significantly 
affect the existing 8086 processor software, because these interrupts do not occur 
normally. These interrupt identifiers should not already have been used by the 8086 


processor software, because they are reserved yy Intel. Table 22-2 describes the new 


. Pivetoe er Exe puOns: x 


18. 


The Acnommull exception of the Intel486 FPU i is handled diferently than on the 8087 
math coprocessor. See Section 16.2.4 for more details. - 
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19. 


20. 


2. 


22. 


Table 22-2. New Intel486™ CPU Exceptions 


A BOUND instruction was executed with a register value outside the limit 
values. | 


A reserved opcode was encountered, or a LOCK prefix was used — 
improperly. 


The EM bit in the CRO register was set when an ESC instruction executed, 
or the TS bit was set when a WAIT instruction was executed. 


A vector indexes to an entry in the IDT which is beyond the segment limit | 
for the IDT. This can only occur if the default limit has been changed. 


A stack operation crossed the address limit. 


An operation (other than a stack operation) exceeds the base or bounds of 
a segment, instruction execution is crossing the address limit (OFFFFH), or 
an instruction exceeds 15 bytes. 


Alignment-check. Cannot occur without setting neue reserved bits. 


One megabyte wraparound. 


The address space of the Intel486 processor may not wraparound at 1 megabyte in 


real-address mode. An external pin A2Z0M# forces wraparound if enabled. On mem- 
bers of the 8086 family, it is possible to specify addresses greater than 1 megabyte. 
For example, with a selector value OFFFFH and an offset of OFFFFH, the effective 
address would be 1OFFEFH (1 megabyte +. 65519 bytes). The 8086 processor, which 
can form addresses up to 20 bits long, truncates the uppermost bit, which “wraps” 
this address to OFFEFH. However, the Intel486 processor does not truncate this bit 
if A2Z0M# is not enabled. 


Response to bus hold. 


Unlike the 8086 and 286 processors, but like the Intel386 processors, the Intel486 
processor responds to requests for control of the bus from other potential bus mas- 
ters, such as DMA controllers, between transfers of parts of an unaligned operand, 
such as two words which form a doubleword. Unlike the Intel386 processors, the 


_Intel486 processor responds to bus hold during reset initialization. 


Interrupt vector table limit. 


The LIDT instruction can be used to set a lina on the size of the interrupt vector 
table. Shutdown occurs if an interrupt or exception attempts to read a vector beyond 
the limit. (The 8086 processor does not have a shutdown mode.) 


If a stack operation wraps around the address limit, shutdown occurs. (The 8086 
processor does not have a shutdown mode.) 


22.8 DIFFERENCES FROM 286 CPU IN REAL-ADDRESS MODE 


The few differences which exist between Intel486 CPU real-address mode and 286 CPU 
real-address mode are not likely to affect any existing 286 CPU programs except possibly 
the system initialization procedures. 
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22.8.1 Bus Lock 


The 286 processor implements the bus lock function differently than the Intel486 pro- 
cessor. Programs which use forms of memory locking specific to the 286 processor may 
not run properly if transported toa specific appucaHons of the Intel486 processor. 


The LOCK prefix and its bus signal only should be used to prevent other bus masters 
from interrupting a data movement operation. The LOCK prefix only may be used with 
the following Intel486 CPU instructions when they modify memory. An invalid-opcode 
exception results from using the LOCK prefix before any other instruction, or with these 
instructions when no write operation is made to memory (i.e., when the destination 
operand is in a register). 


© Bit test avid change: the. BTS, BTR, and BTC instructions. 


e Exchange: the XCHG, XADD, and. CMPXCHG instructions Ane LOCK eons is 
- needed. for the XCHG instruction). 


e One-operand arithmetic and logical: the INC, DEC. NOT, NEG instructions. 


e Two- -operand ae and logical: the ADD, aes SUB, SBB, AND, OR, and 
| oo instructions. 


Avllogked aes 1S guaranteed to lock only the area of memory defined by the 
destination operand, but may lock a larger memory area. For example; typical 8086. and 
80286 CPU configurations lock the entire physical memory space. , 


ia Focalion of First Instruction 


The starting location i is : OFFFFFFFOH (16 bytes from end of the 32- bit address space) on 
the Intel486 processor rather than OFFFFFOH (16 bytes from end of the 24-bit address 
space) as on the 286 processor. Many 286 ROM initialization programs will work cor- 
rectly in this new environment. Others can be made to work correctly with external 
hardware. to MuLeIHESt the senels on-the address epee A31-20- 


22.8.3 Initial Values of General Registers — 


On the Intel486 processor, certain general registers may contain different values after 
reset initialization than on the 286 processor. This should not cause compatibility prob- 
lems, because the contents of 8086 registers after reset initialization are undefined. If 
self-test is. requested during the reset sequence and errors are detected in the. Intel486 
processor, the EAX register will contain a non-zero value. The EDX register contains 
the component and revision identifier. See Chapter 10 for more information. | 
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22.8.4 Bus Hold 


Unlike the 8086 and 286 processors, the Intel386 and Intel486 processors respond to 
requests for control of the bus from other potential bus masters, such as DMA control- 
lers, between transfers of parts of an unaligned operand, such as two words which form 
a doubleword. 


22.8.5 Math Coprocessor Differences 


The Intel486 FPU denormal exception works differently than on the Intel287 math 
coprocessor. See Section 16.2.4 for more details. 


Exception 9 cannot occur on Intel486 microprocessors. 


22.9 DIFFERENCES FROM Intel386 DX CPU IN REAL-ADDRESS MODE 


The instructions and architectural features which are new with the Intel486 processor 
can be accessed in real-address mode. This should not affect most software, because the 
new opcodes previously generated the invalid-opcode exception. The new flag and reg- 
ister bits were previously reserved, so there should be no software which uses them 
improperly. | 


Caching can be enabled in real-address mode. For maximum performance, initialization 
software must enable caching. 


22.10 PROCESSOR DETECTION CODE 


The following code sequence (see Figure 22-2) can be used to distinguish between 8086, 
286 and Intel386 processors. This code is intended for application programs executing in 
real-address mode. Refer to Figure 3-23 for complete CPU and coprocessor identifica- 
tion code. | 
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° 
, 
e 
, 


pushf 

pop bx 

and bx,0fffh 
push bx 

popf 

pushf 


pop ax 


and ax,0£000h | 


emp ax,0f000h 
jz is_ 8086 


or bx,0f000h 
push bx. | 
popf. 

pushf 

pop ax 


and ax,0f000h 


4z is 80286 


is 80386: 
mov ax,386h 
jmp done 

is 80286: 
mov ax,286h 
jmp done 

is 8086: 

| mov ax, 86h 


done: 


popf 
ret 


is 386 endp 


REAL-ADDRESS MODE 


near 


; Returns the processor type in the AX register. 


save FLAG register 
store FLAGs in BX 
clear bits 12-15 
store on stack 


; pop word into the FLAG register 


store FLAGs on stack 
recover FLAG word 


if bits 12-15 are set, then the 
processor is an 8086 


try to set FLAG bits 12- oe 


; store on stack 
; pop word into the FLAG eeglscer 


store FLAGS on stack 
recover FLAG word 


if bits 12-15 are cleared, then 
the EEE Se is an 80286 


; else the processor is a 386 DX CPU 
; set the 386 DX CPU indicator 


set the 80286 indicator 


- set the 8086 indicator 


recover FLAG register 
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Figure 22-2. Real-Address Detection Code 
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CHAPTER 23 | 
VIRTUAL-8086 MODE 


The Intel486 processor supports execution of one or more 8086, 8088, 80186, or 80188 
programs in an Intel486 protected-mode environment. An 8086 program runs in this 
environment as part of a virtual-8086 task. Virtual-8086 tasks take advantage of the 
hardware support of multitasking offered by the protected mode. Not only can there be © 
multiple virtual-8086 tasks, each one running an 8086 program, but virtual-8086 tasks can 
run in multitasking with other Intel486 tasks. 


The purpose of a virtual-8086 task is to form a “virtual machine” for running programs 
written for the 8086 processor. A complete virtual machine consists of Intel486 hardware 
and system software. The emulation of an 8086 processor is the result of software using 
hardware in the following ways: 


e The hardware provides a virtual set of registers (through the TSS), a virtual memory 
space (the first. megabyte of the linear address space of the task), and directly exe- 
cutes all instructions which deal with these registers and with this address space. 


eo The software controls the external interfaces of the virtual machine (J/O, interrupts, 
and exceptions) in a manner consistent with the larger environment in which it runs. 
In the case of I/O, software can choose either to emulate I/O instructions or to let the 
hardware execute them directly without software intervention. 


Software which supports virtual 8086 machines is called a virtual-8086 monitor. © 


23.1 EXECUTING 8086 CPU CODE 


The processor runs in virtual-8086 mode when the VM (virtual machine) bit in the 
EFLAGS register is set. The processor tests this flag under two general conditions: 


1. When loading segment registers, to know whether to use 8086-style address 
translation. 


2. When decoding instructions, to determine which instructions are sensitive to IOPL, 
and which instructions are not supported (as in real mode). 


23.1.1 Registers and Instructions 


The register set available in virtual-8086 mode includes all the registers defined for the 
8086 processor plus the new registers introduced by the Intel486 processor: FS, GS, 
debug registers, control registers, and test registers. New instructions, which explicitly 
operate on the segment registers FS and GS, are available. The new segment-override 
prefixes can be used to cause instructions to use the FS and GS registers for address 
calculations. Instructions can use 32-bit operands through the use of the operand size 
prefix. 
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Programs running as virtual-8086 tasks can take advantage of the new application- 
oriented instructions added to the architecture by the introduction of the 80186, 80188, 
286, Intel386 DX, SX and Intel486 processors: 


e New instructions introduced on the 80186, 80188, and 286 processors. 
— PUSH immediate data 
— Push all and pop all (PUSHA and PoPA) 
— Multiply immediate data 
— Shift and rotate by immediate count 
— String I/O 
— ENTER and LEAVE instructions © 
— BOUND instruction — 
e New instructions introduced on the Intel386 DX and Sx processors. — 
— LSS, LFS, LGS instructions | | 
— Long-displacement conditional jumps 
— Single-bit instructions | 
— Bit scan instructions 
— Double-shift instructions 
— Byte set on condition instruction 
— Move with sign/zero extension 
— Generalized multiply instruction 
-e New instructions introduced on the Intel486 Piece 
— BSWAP instruction | 
— XADD instruction _ 
— CMPXCHG instruction 


_ 23.1.2 Address Translation 


In virtual-8086 mode, the Intel486 processor does not interpret 8086 selectors by refer- 
ring to descriptors; instead, it forms linear addresses as an 8086 processor would. It shifts 
the selector left by four bits to form a 20-bit base address. The effective address is 
extended with four clear bits in the upper bit positions and added to the base address to 
- create a linear address, as shown in Figure 23-1. 


Because of the possibility of a carry, the resulting linear address may have as many as 21 
significant bits. An 8086 program may generate linear addresses anywhere in the range 0 
to 1OFFEFH (1 eae plus approximately 64K Oey of the task’s linear address 
space. ge 


‘Virtual- 8086 ae generate 32-bit iineat addresses. While an 8086 nae Sily can use 


the lowest 21 bits of a linear address, the linear address can be mapped using paging t to 
any 32-bit physical address. 
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19 3 0 


16-BIT SEGMENT SELECTOR 0000 


" 19 15 : 0 


OFFSET 0000] 16-BIT EFFECTIVE ADDRESS 


20 0 


ADDRESS XXXXXXXXXXXXXXXXXXKKKX 
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Figure 23-1. 8086 Address Translation 


Unlike the 8086 and 286 processors, but like the Intel386 processors, the Intel486 pro- 
cessor can generate 32-bit effective addresses using an address override prefix; however 
in virtual-8086 mode, the value of a 32-bit address may not exceed 65,535 without caus- 
ing an exception. For full compatibility with 286 real-address mode, pseudo-protection 
faults (interrupt 12 or 13 with no error code) occur if an effective address is generated 
outside the range 0 through 65,535. 


23.2 STRUCTURE OF A VIRTUAL-8086 TASK 


A virtual-8086 task consists of the 8086 program to be run and the Intel486 CPU “native 
mode” code which serves as the virtual-machine monitor. The task must. be represented 
by an Intel486 CPU TSS (not a 286 TSS). The processor enters virtual-8086 mode to run: 
the 8086 program and returns to protected mode to run the monitor or other Intel486 
CPU tasks. 


To run in virtual-8086 mode, an existing 8086 processor program needs the following: 
eo A-virtual-8086 monitor. 


o Operating-system services. 


The virtual-8086 monitor is Intel486 CPU protected-mode code which runs at privilege- 
level 0 (most privileged). The monitor mostly consists of initialization and exception- 
handling procedures. As with any other Intel486 CPU program, code-segment 
descriptors for the monitor must exist in the GDT or in the task’s LDT. The linear 
addresses above 1OFFEFH are available for the virtual-8086 monitor, the operating sys- 
tem, and other system software. The monitor also may need data-segment descriptors SO 
it can examine the interrupt vector table or other parts of the 8086 program in the first 
megabyte of the address space. 
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In general, there are two options for implementing the 8086 operating system: 


1. The 8086 operating system may run as part of the 8086 program. This ash is 
desirable for either of the following reasons: 


e The 8086 application code modifies: the operating system. 


e There is not sufficient development time to reimplement the 8086 operating sys- 
tem as an Intel486 CPU operating system. | 


2. The 8086 operating system may be implemented or emulated in the virtual-8086 
monitor. This approach is desirable for any of the following reasons: 


0 Operating system functions can be more easily coordinated among several virtual- 
8086 tasks. 


e The functions of the 8086 operating system can be easily emulated by calls to the 
Intel486 CPU operating system. 


Note that the approach chosen for implementing the 8086 processor operating system | 
may have different virtual-8086 tasks using different 8086 operating systems. 


23.2.1 Paging for Virtual-8086 Tasks - 


Paging is not necessary for a single virtual- 3086 task, but paging is useful or necessary for 
any of the following reasons: 


e Creating multiple virtual-8086 ake Each task must map the one megabyte se lin- 
ear addresses to different ‘physical locations.. 


° Emulating the address wraparound which occurs at 1 megabyte. With members of the 
-. 8086 family, it is possible to specify addresses larger than 1 megabyte. For example, 
with a selector value of OFFFFH and an offset of OFFFFH, the effective address 
would be 10FFEFH (1 megabyte plus 65519 bytes). The 8086 processor, which can 
' form addresses only up to 20 bits long, truncates the high-order bit, thereby “‘wrap- 
ping” this address to OFFEFH. The Intel486 processor, however, does not truncate 
such an address. If any 8086 processor programs depend on address wraparound, the 
same effect can be achieved in a virtual-8086 task by mapping linear addresses 
between 100000H and 110000H and linear addresses between 0 and 10000H to the 
same physical addresses. 


° Creating a virtual address space larger than the physical address space. 7 | 


° Sharing 8086 operating asin or ROM code wach is common to several 8086 pro- 
: gram nunnine in a Uns: 2 ete & | : 


“Reaireouig or Hiaipping ceieienpes to memory-mapped I/O devices. 


23-4 


intel : VIRTUAL-8086 MODE 


23.2.2 Protection within a Virtual-8086 Task 


Protection is not enforced between the segments of an 8086 program. To protect the 
system software running in a virtual-8086 task from the 8086 application program, soft- 
ware designers may follow either of these approaches: 


e Reserve the first megabyte (plus 64K bytes) of each task’s linear address space for the 
8086 processor program. An 8086 processor task cannot generate addresses outside 
this range. | 


e Use the U/S bit of page-table entries to protect the virtual-machine monitor and 
other system software in each virtual-8086 task’s space. When the processor is in 
-_virtual-8086 mode, the CPL is 3 (least privileged). Therefore, an 8086 processor pro- 
gram has only user privileges. If the pages of the virtual-machine monitor have super- 
visor privilege, they cannot be accessed by the 8086 program. 


23.3 ENTERING AND LEAVING VIRTUAL-8086 Mode 


Figure 23-2 summarizes the ways to enter and leave an 8086 program. Virtual-8086 
mode is entered by setting the VM flag. There are. two ways to do this: 


1. A task switch to an Intel486 processor task loads the image of the EFLAGS register 
from the new TSS. The TSS of the new task must be an Intel486 CPU TSS, not an 
80286 TSS, because the 80286 TSS does not load the high word of the EFLAGS 
register, which contains the VM flag. A set VM flag in the new contents of the 
EFLAGS register indicates that the new task is executing 8086 instructions; there- 
fore, while loading the segment registers from the TSS, the Intel486 processor forms 
base addresses in the 8086 style. | | | 


2. An IRET instruction from a procedure of an Intel486 CPU task loads the EFLAGS 
register from the stack. A set VM flag indicates the procedure to which control is 
being returned to be an 8086 procedure. The CPL at the time the IRET instruction 
is executed must be 0, otherwise the processor does not change the state of the VM 
flag. 


’ MODE TRANSITION DIAGRAM 


TASK SWITCH INITIAL 
| ORIRET ‘ENTRY | | 


INTERRUPT, EXCEPTION 
V86 MONITOR 


8086 PROGRAM 
IRET (PROTECTED 
(V86 MODE) MODE 


TASK | ‘TASK 
SWITCH | oTHER i486™ CPU TASKS SWITCH 
(PROTECTED MODE) 


TASK SWITCH 
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Figure 23-2. Entering and Leaving Virtual-8086 Mode 
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When a task switch is used to enter virtual-8086 mode, the segment registers are loaded 
from a TSS. But when an IRET instruction is used to set the VM flag, the segment 
registers keep the contents loaded during protected mode. Software should then reload 
these registers with segment selectors SPEEODHSIC for virtual-8086 mode. 


The processor leaves virtual-8086 mode when an interrupt or ae ea occurs. There 
are two Cases: - 


1. The interrupt or exception causes a task switch. A task switch from a virtual- 8086 
task to any other task loads the EFLAGS register from the TSS of the new task. If 
the new TSS is an Intel486 TSS and the VM flag in the new contents of the 
EFLAGS register is clear or if the new TSS is an 80286 TSS, the processor clears the 

VM flag of the EFLAGS register, loads the segment registers from the new TSS 
using Intel486 CPU-style address formation, and begins executing the instructions of 
the new task in Intel486 CPU protected mode. 


2. The interrupt or exception calls a privilege-level 0 procedure (most privileged). The 
processor stores the current contents of the EFLAGS register on the stack, then 
clears the VM flag. The interrupt or exception handler, therefore, runs as “native” 
Intel486 CPU protected-mode code. If an interrupt or exception calls a procedure in 
a conforming segment or in a segment at a privilege level other than 0 (most privi- 
leged), the processor generates a general-protection exception; the error code is the 
selector of the code segment to which a call was attempted. 


System software does not change the state of the VM flag directly, but instead changes 
states in the image of the EFLAGS register stored on the stack or in the TSS. The 
virtual-8086 monitor sets the VM flag in the EFLAGS image on the stack or in the TSS 
when first creating a virtual-8086 task. Exception and interrupt handlers can examine the 
VM flag on the stack. If the interrupted procedure was running in virtual-8086 mode, the 
handler may need to call the virtual-8086 monitor. 


23.3.1 Transitions Through Task Switches 


A task switch to or from a virtual-8086 task may come from any of three causes: 
1. An interrupt which calls a task gate. | | 
2. An action of the scheduler of the Intel486 CPU Spemting eystent 

2. Executing an IRET instruction when the NT flag is set. 


In any of these cases, the processor changes the VM flag in the EFLAGS register 
according to the image in the new TSS. If the new TSS is an 80286 TSS, the upper word 
of the EFLAGS register is not in the TSS; the processor clears the VM flag in this case. 
The processor updates the VM flag prior to loading the segment registers from their 
images in the new TSS. The new setting of the VM flag determines whether the proces- 
sor interprets the new Srement cae uneees as 8086 selectors or r 80286 and Intel486 
CPU selectors. : 
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23.3.2 Transitions Through Trap Gates and Interrupt Gates 


The Intel486 processor leaves virtual-8086 mode as the result of an exception or inter- 
rupt which calls a trap or interrupt gate. The exception or interrupt handler returns to 
the 8086 program by executing an IRET instruction. 


Because it was designed to run on an 8086 processor, an 8086 program in a virtual-8086 
task will have an 8086-style interrupt table, which starts at linear address 0. However, the 
Intel486 processor does not use this table directly. For all exceptions and interrupts 
which occur virtual-8086 mode, the processor calls handlers through the IDT. The IDT 
entry for an interrupt or exception in a virtual-8086 task must contain either: 


e A task gate. 


e An Intel486 CPU trap gate (descriptor type 14) or Intel486 CPU interrupt gate 
(descriptor type 15), which must point to a nonconforming, privilege-level 0 (most 
privileged), code segment. 


Interrupts and exceptions which call Intel486 CPU trap or interrupt gates use privilege- 
level 0. The contents of the segment registers are stored on the stack for this privilege 
level. Figure 23-3 shows the format of this stack after an exception or interrupt which 
occurs while a virtual-8086 task is running an 8086 program. 


WITHOUT ERROR CODE WITH ERROR CODE 


TSS TSS 
: OLD GS 

OLD FS 

OLD DS 


OLD SS 
OLD ESP 
OLD EFLAGS 


OLD CS 


OLD EIP — NEW ESP OLD EIP 
ERROR CODE 
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Figure 23-3. Privilege Level 0 Stack After Interrupt in Virtual-8086 Mode 
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After the processor saves the 8086 segment registers on the stack for privilege level 0, it 
clears the segment registers before running the handler procedure. This lets the inter- 
rupt handler safely save and restore the DS, ES, FS, and GS registers as though they 
were Intel486 CPU selectors. Interrupt handlers, which may be called in the context of 
either a regular task or a virtual-8086 task, can use the same code sequences for saving 
and restoring the registers for any task. Clearing these registers before execution of the 
IRET instruction does not cause a trap in the interrupt handler. Interrupt procedures 
which expect values in the segment registers or which return values in the segment 
registers must use the register images saved on the stack for privilege level 0. Interrupt 
handlers which need to know whether the interrupt occurred in virtual-8086 mode can 
examine the VM flag in the stored contents of the EFLAGS register. 


An eee handler passes control to the virtual- 8086 monitor if the VM flag is set in 
the EFLAGS image stored on the stack and the interrupt or exception is one which the 
monitor needs to handle. The virtual-8086 monitor may either: 


o Handle the interrupt within the virtual-8086 monitor. 


o Call the 8086 program’s interrupt handler. 


Sending an interrupt or exception back to the 8086 program involves the following steps: 
1. Use the 8086 interrupt vector to locate the appropriate handler procedure. 
2. Store the state of the 8086 program on the privilege-level 3 stack (least privileged). 


3. Change the return link on the privilege- -level 3 stack to point to the privilege-level 3 
_ handler procedure. | 


4. Execute an IRET instruction to pass control to the handler. 


5. When the IRET instruction from the privilege- -level 3 handler again calls the virtual- 
8086 monitor, restore the return link on the privilege- “level 0 stack to point to the 
original, interrupted, privilege-level 3 procedure. 


6. Execute an IRET instruction to pass control back to the interrupted procedure. 


23. 4 ADDITIONAL SENSITIVE INSTRUCTIONS 


When the Intel486 processor is running in virtual-8086 figee: the PUSHF, POPF, INT n 
and IRET instructions are sensitive to IOPL. The IN, INS, OUT, and OUTS instruc- 
_ tions, which are sensitive to IOPL in protected mode, are not sensitive in virtual-8086 
mode. Following is a complete list of instructions which are sensitive in virtual-8086 
mode: 


CLI — Clear Interrupt-Enable Flag 
STI _ — Set Interrupt-Enable Flag 
PUSHF — Push Flags 

POPF — Pop Flags 

INT n — Software Interrupt 

JIRET © — Interrupt Return 
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The CPL is always 3 while running in virtual-8086 mode; if the IOPL is less than 3, an 
attempt to use the instructions listed above will trigger a general-protection exception. 
These instructions are sensitive to the IOPL to give the virtual-8086 monitor a chance to 
emulate the facilities they affect. 


23.4.1 Emulating 8086 Operating System Calls 


The INT 7 instruction is sensitive to IOPL so a virtual-8086 monitor can intercept calls 
to the 8086 operating system. Many 8086 operating systems are called by pushing param- 
eters onto the stack, then executing an INT n instruction. If the IOPL is less than 3, 
INT n instructions are intercepted by the virtual-8086 monitor. The virtual-8086 monitor 
then can emulate the function of the 8086 operating system or send the interrupt back to 
the 8086 operating system. 


23.4.2 Emulating the Interrupt-Enable Flag 


When the Intel486 processor is running an 8086 program in a virtual-8086 task, the | 
PUSHF, POPF, and IRET instructions are sensitive to the IOPL. This lets the virtual- 
8086 monitor protect the interrupt-enable flag (IF). Other instructions which affect the 
IF flag (such as the STI and CLI eee) are sensitive to the IOPL in both 8086 and 
Intel486 CPU programs. | 


Many 8086 programs written for acuanbliadine systems set and clear the IF flag to 
control interrupts. This may cause problems in a multitasking environment. If the IOPL 
is less than 3, all instructions which change or test the IF flag generate an exception. The 
virtual-8086 monitor then can control the IF flag in a manner companle with the 
‘Intel486 CPU environment and transparent to 8086 programs. 


23.5 VIRTUAL 1/0 


Many 8086 programs written for non-multitasking systems directly access I/O ports. This 
may cause problems in a multitasking environment. If more than one program accesses 
the same port, they may interfere with each other. Most multitasking systems require 
application programs to access I/O ports through the operating system. This results in 
simplified, centralized control. 


The Intel486 processor provides I/O protection for creating I/O which is compatible with 
the Intel486 CPU environment and transparent to 8086 programs. Designers may take 
any of several possible approaches to protecting I/O ports: 


o Protect the I/O address space and generate exceptions for all attempts to perform I/O 
directly. 


o Let the 8086 processor program perform I/O directly. 
o Generate exceptions on attempts to access specific /O ports. 


0 Generate exceptions on attempts to access specific memory-mapped I/O ports. 
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The method of controlling access to I/O ports depends upon whether they are 1/O- 
mapped or memory-mapped. 


23.5.1 1/O-Mapped |/O 


The I/O address space in virtual-8086 mode differs from protected mode only because 
the IOPL is not checked. Only the I/O permission bit map is checked when virtual-8086 
tasks access the I/O address space. 


The I/O permission bit map can be used to generate exceptions on attempts to access 
specific I/O addresses. The I/O permission bit map of each virtual-8086 task determines 
which I/O addresses generate exceptions for that task. Because each task may have a 
different I/O permission bit map, the addresses which generate exceptions for one task 
may be different from the addresses for another task. See Chapter 8 tor more informa- — 
tion about the I/O permission bit map. 


23.5.2 Memory-Mapped I/O 


In systems which use memory-mapped I/O, the paging facilities of the Intel486 processor 
can be used to generate exceptions for attempts to access I/O ports. The virtual-8086 
monitor may use paging to control memory-mapped I/O in these ways: 


° ‘Map part of the linear address Space of each task which needs to perform I/O to the 
physical address space where I/O ports are placed. By putting the I/O ports at differ- 
ent addresses (in different pages), the paging mechanism can enforce isolation - 
between tasks. 


e Map part of the linear address space to pages which are not-present. This generates 
an exception whenever a task attempts to perform I/O to those pages. System soft- 
ware then can interpret the I/O operation being attempted. 


Software emulation of the I/O space may require too much operating system interven- 
tion under some conditions. In these cases, it may be possible to generate an exception 
for only the first attempt to access I/O. The system software then may determine 
whether a program can be given exclusive control of I/O temporarily, the protection of 
the I/O space may be lifted, and the program allowed to run at full speed. 


23.5.3 Special I/O Buffers 


Buffers of intelligent controllers (for example, a bit-mapped frame buffer) also can be 
emulated using page mapping. The linear space for the buffer can be mapped to a 
different physical space for each virtual-8086 task. The virtual-8086 monitor then can 
control which virtual buffer to copy onto the real buffer in the physical address space. 
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23.6 DIFFERENCES FROM 8086 CPU 


In general, virtual-8086 mode will run software written for the 8086, 8088, 80186, and 
80188 processors. The following list shows the minor differences between the 8086 pro- 
cessor and the virtual-8086 mode of the Intel486 processor. 


1. Instruction clock counts. 


The Intel486 processor takes fewer clocks for most instructions than the 8086 pro- 
cessor. The areas most likely to be affected are: 
e Delays required by I/O devices between I/O operations. 


e Assumed delays with 8086 processor operating in parallel with an 8087. 


2. Divide exceptions point to the DIV instruction. 


Divide exceptions on the Intel486 processor always leave the saved CS:IP value 
pointing to the instruction which failed. =a the 8086 processor, the CS:IP value 
points to the next instruction. ? 


3. Undefined 8086 processor opcodes. 


Opcodes which were not defined for the 8086 processor generate an invalid-opcode 
or execute as one of the new instructions defined for the Intel486 processor. 


4. Value written by PUSH SP. 


The Intel486 processor pushes a different value on the stack for PUSH SP than the 
8086 processor. The Intel486 processor pushes the value in the SP register before it 
is decremented as part of the push operation; the 8086 processor pushes the value of 
the SP register after it is decremented. If the pushed value is important, replace 
PUSH SP instructions with the following three instructions: 


PUSH BP 
MOV BP, SP 
XCHG BP, (BP) 


This code functions as the 8086 PUSH SP instruction on the Intel486 processor. 


5. Shift or rotate by more than 31 bits. | 
The Intel486 processor masks all shift and rotate counts to the lowest five bits. This 


limits the count to a maximum of 31 bit positions, thereby limiting the time that 
interrupt response is delayed while the instruction executes. 


6. Redundant prefixes. 
The Intel486 processor limits instructions to 15 bytes. The only way to violate this 
limit is with redundant prefixes before an instruction. A general-protection excep- 
tion is generated if the limit on instruction length is violated. The 8086 processor has 
no instruction length limit. 


7. Operand crossing offset O or 65,535. 


On the 8086 processor, an attempt to access a memory operand which crosses offset 
65,535 (e.g., MOV a word to offset 65,535) or offset 0 (e.g., PUSH a word when the 
contents of the SP register are 1) causes the offset to wrap around modulo 65,536. 
The Intel486 processor generates an exception in these cases, a general-protection 
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exception if the segment is a data segment (i.e.,.if the CS, DS, ES, FS, or GS register 
is being used to address the segment), or a stack Bd if the segment is a Stack 


segment (i.e., if the SS register is pons oe) 


Sequential execution across offset 65, 535. 


On the 8086 processor, if sequential execution of instructions proceeds past offset 
65,535, the processor fetches the next instruction byte from offset 0 of the same 
segment. On the Intel486 processor, the DEO! generates a general-protection 
exception. 


LOCK is restricted to certain instructions. 


The LOCK prefix and its output signal should only be ane to prevent other bus 
masters from interrupting a data movement operation. The LOCK prefix only may 


_ be used with the following Intel486 CPU instructions when they modify memory. An 
~ - Invalid-opcode exception results from using LOCK before any other instruction, or 


10. 


ine 


12; 


with these instructions when no write operation is made to memory. 
e Bit test and change: the BTS, BTR, and BTC instructions. 


e Exchange: the XCHG, XADD, and CMPXCHG instructions oe LOCK prefix is 


needed for the XCHG instruction). 
e One-operand arithmetic and logical: the INC, DEC, NOT, NEG instructions. 


_e@ Two-operand arithmetic and neta the ADD, ADC, SUB, SBB, AND, OR, and 
... XOR instructions. , | 


Single- sienpine everaal nitentine Handles | 


The priority of the Intel486 processor single-step exception is different Roni that of 
the 8086 processor. This change prevents an external interrupt handler from being 
single-stepped if the interrupt occurs while a program is being single-stepped. The 
Intel486 processor single-step exception has higher priority than any external inter- 
rupt. The Intel486 processor will still single-step through an interrupt handler called 
by the INT instruction or by an exception. 


IDIV exceptions for quotients of 80H or 8000H. 


The Intel486 processor can generate the largest negative number as a quotient from 
the IDIV instruction. The 8086 processor generates a divide-error exception instead. 


Flags 1 in stack. 


~The contents of the EFLAGS register stored by the PUSHF instruction, by inter- 
-rupts, and by exceptions is different from that stored by the 8086 processor in bit 


positions 12 through 15. On the 8086 processor these bits are stored as though they 


13. 


were set, but in virtual-8086 mode bit 15 is always clear, and bits 14 nner 12 have 
the last value loaded into them. , 


NMI cena NMI handlers. » | 


After an NMI interrupt is accepted by the Intel486 processor, the NMI interrupt is 


-masked until an IRET instruction is executed. 
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14. 


15. 


16. 


17, 


18. 


Floating-point errors call the floating-point-error exception. 


Floating-point exceptions on the Intel486 processor call the floating-point error 


exception handler. If an 8086 processor uses another exception for the 8087 inter- 


rupt, both exception vectors should call the floating-point error exception handler. 
The Intel486 processor has signals which, with the addition of external logic, support 
user-defined error reporting for emulation of the interrupt mechanism used in ony 
personal computers. 


Numeric exception handlers should allow prefixes, 


- On the Intel486 processor, the value of the CS and IP registers saved for floating- 


point exceptions points at any prefixes which come before the ESC instruction. On 
the 8086 processor, the saved CS:IP points to the ESC instruction. 
Floating-Point Unit does not use interrupt controller. 


The floating-point error signal to the Intel486 processor does not pass through. an 
interrupt controller (an INT signal from 8087 coprocessor does). Some instructions 
in a coprocessor-error exception handler may need to be deleted if they use the | 
interrupt controller. The Intel486 processor has signals which, with the addition of 
external logic, support user- -defined error reporting for emulation of the interrupt 
mechanism used in many personal computers. 


Response to bus hold. 


Unlike the 8086 and 286 processors; the Intel486 processor responds to requests for 
control of the bus from other potential bus masters, such as DMA controllers, 
between transfers of parts of an unaligned operand, such as two wanes which form a a 
doubleword. os 
CPL is 3 in virtual-8086 mode. 


The 8086 processor does not support protection, so it has no CPL. Virtual-8086 
mode uses a CPL of 3, which prevents the execution of privileged instructions. 
These are: 


e LIDT instruction 

e LGDT instruction 

e LMSW instruction 

e special forms of the MOV instruction for loading and storing the control registers 
e CLTS instruction 


e HLT instruction 


19. 


e INVD instruction 


~e@ WBINVD instruction 


e INVLPG instruction 


These instructions may be executed while the processor is in real- sities mode 
following reset initialization. They allow system data structures, such as descriptor 
tables, to be set up before entering protected mode. Virtual-8086 mode is » entered 
from protected mode, so it has no need for these instructions. | 


Denormal exception handling is different. See Section 16.2.4. 
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23.7 DIFFERENCES FROM 286 CPU IN REAL-ADDRESS MODE 


The differences between arial: 8086 mote and 286 real- adeces mode: affect the inter- 
face. between applications and the operating system. The application runs at privilege 
level 3 (user mode), so all attempts to use privilege-protected instructions and architec- 

tural features generate calls to the virtual-machine monitor. The monitor examines these 
calls and emulates them. : 


23.7.1 Privilege per 

Programs running in . virtual- 8086 mode have. a privilege level of 3 (user mode), which 
prevents the execution of pecerets instructions. These are: 

e LIDT instruction > 

@ LGDT instruction 

® LMSW instruction. | . 

e special forms of the MOV instruction for loading and storing the control registers 
e CLTS instruction — | 

© HLT instruction - 

© INVD instruction 

| e WBINVD instruction 

és INVLPG instruction - 


Virtual-8086 mode is entered from protected mode, so it has no need for these instruc- 
tions. These instructions can be executed in real- address mode. 


23.7.2 Bus Lock | 


The 286 processor implements the bus lock function differently than the Intel386 DX 
and Intel486 processors. This fact may or may not be apparent to 8086 programs, — 
depending on how the virtual-8086 monitor handles the LOCK prefix.: Instructions with 
the LOCK prefix are sensitive to the IOPL; software designers can choose to emulate its 
function. If, however, 8086 programs are allowed to execute LOCK directly, programs 
which use forms of memory locking specitic to the 8086 processor may not | run properly 
when run on. the Intel486 aaa cet | 


The LOCK prefix and its bus signal sai should be used to prevent other bus masters 
from interrupting a data movement operation. The LOCK prefix only may be used with 
the following Intel486 CPU instructions when they modify memory. An invalid-opcode 
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exception results from using the LOCK prefix before any other instruction, or with these 
instructions when no write operation is made to memory (i.e., when the destination 
operand is in a register). 

o Bit test and change: the BTS, BTR, and BTC instructions. 


o Exchange: the XCHG, XADD, and CMPXCHG instructions (no LOCK prefix is 
needed for the XCHG instruction). 


o QOne-operand arithmetic and logical: the INC, DEC, NOT, NEG instructions. 


° Two-operand arithmetic and logical: the ADD, ADC, SUB, SBB, AND, OR, and 
XOR instructions. 


A locked instruction is guaranteed to lock only the area of memory defined by the 
destination operand, but may lock a larger memory area. For example, typical 8086 and 
80286 configurations lock the entire physical memory space. 


Unlike the 8086 and 286 processors, the Intel386 and Intel486 processors respond to 
requests for control of the bus from other potential bus masters, such as DMA control- 
lers, between transfers of parts of an unaligned operand, such as two words which form 
a doubleword. 


23.8 DIFFERENCES FROM Iniel386 DX AND SX CPUs 
Real-address mode and virtual-8086 mode are implemented in the same way on the 


Intel486 processor as on the Intel386 processors. For maximum performance, programs 
ported to the Intel486 processor should be run with the cache enabled. 
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CHAPTER 24 
MIXING 16-S5IT AND 32-5IT CODE 


The Intel486 processor running in protected mode, like the Intel386 processors is a 
complete 32-bit architecture, but it supports programs written for the 16-bit architecture 
of earlier Intel processors. There are three levels of this support: 


1. Running 8086 and 80286 code with complete compatibility. 
2. Mixing 16-bit modules with 32-bit modules. 
3. Mixing 16-bit and 32-bit addresses and data within one module. 
The first level is discussed in Chapter 21, Chapter 22, and Chapter 23. This -chapter 


shows how 16-bit and 32-bit modules can cooperate with one another, and how one 
module can use both 16-bit and 32-bit operands and addressing. 


The Intel4g6 processor functions most efficiently when it is possible to distinguish 
between pure 16-bit modules and pure 32-bit modules. A pure 16- bit module has these 
characteristics: | 


o All segments occupy 64K bytes or less. 
oe Data items are either 8 bits or 16 bits wide. 
o Pointers to code and data have 16-bit offsets. 


© Control is transferred only among 16-bit segments. 


A pure 32-bit module has these characteristics: 

o Segments may occupy more than 64K bytes (0 bytes to 4 een 

o Data items are either 8 bits or 32 bits wide. 

0 Pointers to code and data have 32-bit offsets. 

© Control is transferred only among 32-bit segments. | 

A program written for 16-bit processor would be pure 16-bit code. A new program 
written for the protected mode of the Intel486 processor would be pure 32-bit code. As 


applications move from 16-bit processors to the 32-bit Intel486 processor, there will be 
cases where 16-bit and 32-bit code will need to be mixed. Reasons for mixing code are: 


@ Modules will be converted one- ByrOne from 16-bit environments to 32-bit 
environments. _ 7 


eo Older, 16-bit compilers and software-development tools will be used in the new 32-bit 
operating environment until new 32-bit tools are available. , 


0 The source code of 16-bit modules is not available for modification. 
o The specific data structures used by a given module are fixed at 16-bit word Size. 


eo The native word size of the source language is 16 bits. 
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24.1 USING 16-BIT AND 32-BIT ENVIRONMENTS 


The features of the architecture which permit the Intel486 pone to mix 16-bit and 
32-bit address and operand size include: 


The D-bit (default bit) of code- -segment descriptors, which determines the default 
choice of operand-size and address-size for the instructions of a code segment. (In 
real-address mode and virtual-8086 mode, which do not use descriptors, the default is 
16 bits.) A code segment whose D-bit is set is a 32-bit segment; a code segment whose 
D-bit is clear is a 16-bit segment. The D-bit eliminates the need to put the operand 
size and address size in instructions when all instructions use operauce and effective 
addresses of the same size. | 7 


Instruction prefixes to override the default choice of operand size and address size 
(available in protected mode as well as in real- address mode and virtual-8086 mode). 


Separate 32-bit and 16-bit gates for intersegment control transfers (including call 
gates, interrupt gates, and trap gates). The operand size for the control transfer is 


determined by the type of gate, not vy the D-bit or prefix of the transfer instruction. 


Registers which can be used both for 16-bit and 32-bit operands and effective- address 
calculations. 


The B bit (Big bit) of the stack segment descriptor, which species the size of stack 
pointer (the 32-bit ESP register or the 16-bit SP register) used by the processor for 
implicit stack references. The B bit for all data descriptors also. controls upper ADD 
range for expanded down. | 


24.2 MIXING 16-BIT AND 32-BIT OPERATIONS 


The Intel486 processor has two instruction prefixes which allow mixing of 32-bit and 
16-bit operations within one segment: 


e The operand-size prefix (66H) 


The address-size prefix (67H) 


These oe reverse the default size selected by the Default bit. For example, the 
processor can interpret the MOV mem, reg instruction in any of four ways: 


In a 32-bit segment: : 
1. Moves 32 bits from a 32-bit eae to memory using a 32- bit effective address. 


2. If preceded by an operand-size prefix, moves 16 bits from a 16-bit eet to 
memory using a 32-bit effective address. 


3. If preceded by an. address-size prefix, moves 32 bits from a 32-bit easisier to . 
memory using a 16-bit effective address. 


4. If preceded by both an address-size prefix and an operand-size prefix, moves 
16 bits from a 16-bit register to memory using a 16-bit effective address. | 
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e Ina 16-bit segment: 
1. Moves 16 bits from a 16-bit register to memory using a 16-bit effective address. 


2. If preceded by an operand-size prefix, moves 32 bits from a 32-bit register to 
memory using a 16-bit effective address. 


3. If preceded by an address-size prefix, moves 16 bits from a 16-bit register to 
memory using a 32-bit effective address. 


4. If preceded by both an address-size prefix and an operand-size prefix, moves 
32 bits from a 32-bit register to memory using a 32-bit effective address. 


These examples show that any instruction can generate any combination of operand size 
and address size regardless of whether the instruction is in a 16- or 32-bit segment. The 
choice of the 16- or 32-bit default for a code segment is based upon these criteria: 


1. The need to address instructions or data in segments which are larger than 
64K bytes. 


2. The predominant size of operands. 


3. The addressing modes desired. 


The Default bit should be given a setting which allows the predominant size of operands 
to be accessed without operand-size prefixes. 


24.3 SHARING DATA AMONG MIXED-SIZE CODE SEGMENTS 


Because the choice of operand size and address size is specified in code segments and 
their descriptors, data segments can be shared freely among both 16-bit and 32-bit code 
segments. The only limitation is imposed by pointers with 16-bit offsets, which only can 
point to the first 64K bytes of a segment. When a data segment with more than 64K 
bytes is to be shared among 16- and 32-bit segments, the data which is to be accessed by 
the 16-bit segments must be located within the first 64K bytes. 


A stack which spans less than 64K bytes can be shared by both 16- and 32-bit code | 
segments. This class of stacks includes: 


0 Stacks in expand-up segments with the Granularity and Big bits clear. 
eo Stacks in expand-down segments with the Granularity and Big bits clear. 


e Stacks in expand-up segments with the Granularity bit set and the Big bit clear, in 
which the stack is contained completely within the lower 64K bytes. (Offsets greater 
than OFFFFH can be used for data, other than the stack, which is not shared.) 


The B-bit of a stack segment cannot, in general, be used to change the size of stack used 
by a 16-bit code segment. The size of stack pointer used by the processor for implicit 
stack references is controlled by the B-bit of the data-segment descriptor for the stack. 
Implicit references are those caused by interrupts, exceptions, and instructions such as 
the PUSH, POP, CALL, and RET instructions. Although it seems like the B bit could be 
used to increase the stack segment for 16-bit programs beyond 64K bytes, this may not 
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be done. The B-bit does not control explicit stack references, such as accesses to param- 
eters or local variables. A 16-bit code segment can use a “big” stack only if the code is 
modified so that all explicit references to the stack are preceded By the address-size 
prefix, causing those eee to use 32-bit addressing. 


In big, expand-down segments (the Granularity, Big, and Expand-down bits set), all 
offsets are greater than 64K, therefore 16-bit code cannot use this kind of stack segment 
unless the code segment is modified to use 32-bit addressing. (See Chapter 6 for more 
information about the G, B, and E bits.) 7 


24. 4 1 TRANSFERRING CONTROL AMONG MIXED- SIZE CODE 
SEGMENTS 


When eae control among procedures in 16-bit and 32-bit code epee pro- 
_ grammers must be aware of three points: 


e Addressing limitations imposed by pointers with 16- bit Bisets 


e Matching of operand-size attribute in effect for the CALL/RET instruction pair and 
the Interrupt/IRET pair for managing the stack correctly. 


e Translation of parameters, especially pointer parameters. 


Clearly, 16-bit effective addresses cannot be used to address data or code located beyond 
QFFFFH in a 32-bit segment, nor can large 32-bit parameters be squeezed into a 16-bit 
word; however, except for these obvious limits, most interface problems between 16-bit 
and 32-bit modules can be solved. ‘Some solutions involve inserting interface code 

between modules. : : : | 


24.4.1 Size of Code-Segment Pointer 


For control-transfer instructions which use a pointer to identify the next instruction (ie., 
those which do not use gates), the size of the offset portion of the pointer is determined 
by the operand-size attribute. The implications of the use of two different sizes of code- 
segment pointer are: : 


e A JMP, CALL, or RET instruction from. a 32- bit segment to a 16-bit segment is 
always possible using a 32-bit operand size. 


e AJMP, CALL, or RET instruction from’‘a 16-bit segment using a 16-bit operand size 
- cannot address a destination in a 32- bit segment if the address of the destination is 
Oa than OFFFFH. 


An interface arcedure can provide a mechanism for transfers from 16-bit segments to 
destinations in 32-bit segments beyond 64K. The requirements for this kind of cTIACe 
procedure are discussed later in this chapter. pg | 
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24.4.2 Stack Management for Control Transfers 


Because stack management is different for 16-bit CALL and RET instructions than for 
32-bit CALL and RET instructions, the operand size of the RET instruction must match 
the CALL instruction. (See Figure 24-1.) A 16-bit CALL instruction pushes the contents 
of the 16-bit IP register and (for calls between privilege levels) the 16-bit SP register. 
The matching RET instruction also must use a 16-bit operand size to pop these 16-bit 
values from the stack into the 16-bit registers. A 32-bit CALL instruction pushes the 
contents of the 32-bit EIP register and (for interlevel calls) the 32-bit ESP register. The 
matching RET instruction also must use a 32-bit operand size to pop these 32-bit values 
from the stack into the. 32-bit registers. If the two parts of a CALL/RET instruction pair 
do not have matching operand sizes, the stack will not be managed correctly and the 
values of the instruction pointer and stack pointer will not be restored to correct values. 


While executing 32-bit code, if a call to 16-bit code at a more privileged level (..e., 
dpl<cpl) is made via a 286 processor 16-bit call gate, then the upper 16-bits of the ESP 
register may be unreliable upon returning to the 32-bit code (i.e., after executing a RET 
in the 16-bit code segment). 


When the CALL instruction and its matching RET instruction are in segments which 
have D bits with the same values (i.e., both have 32-bit defaults or both have 16-bit 
defaults), the default settings may be used. When the CALL instruction and its matching 
RET instruction are in segments which have different D-bit values, an operand size 
prefix must be used. 
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There are three ways for a 16-bit procedure to make a 32-bit call: 


1. Use a 16-bit call to a 32-bit interface procedure. The interface procedure uses a 
_ 32-bit call to the intended destination. | 


2. Make the call through a 32-bit call gate. 


3, Modify the 16-bit procedure, inserting an operand-size prefix beisre the call, to 
change it to a 32-bit call. | 7 | 


Likewise, there are three ways to cause a 32-bit procedure to make a 16-bit call: 


1. Use a 32-bit call to a 32-bit interface procedure. The interface procedure uses a 
16-bit call to the intended destination. 


2. Make the call through a 16-bit call gate. 


3. Modify the 32-bit procedure, ‘inserting an operand-size prefix before the call, 
thereby changing it to a 16- bit call. (Be certain that the return offset does not exceed 
OFFFFH.) 


Programmers can use any of the preceding methods to make a CALL instruction in a 
16-bit segment match the corresponding RET instruction in a 32-bit segment, or to make 
a CALL instruction in a 32- bit segment match the corresponding RET instruction in a 
16- bit segment. , af | 


24.4.2.1 CONTROLLING THE OPERAND SIZE FOR A CALL 


The operand-size attribute in effect for the CALL instruction is specified by the D bit 
for the segment containing the destination and by any operand-size instruction prefix. 


When the selector of the pointer referenced by a CALL instruction selects a gate 
descriptor, the type of call is determined by the type of call gate. A call through a 286 
call gate (descriptor type 4) has a 16-bit operand-size attribute; a call through an 
Intel386/Intel486 CPU call gate (descriptor type 12) has a 32-bit operand-size attribute. 
The offset to the destination is taken from the gate descriptor; therefore, even a 16-bit 
procedure can calla procedure located more than 64K bytes from the base of a 32-bit 
segment, because a 32-bit call gate contains a 32-bit offset. 


An unmodified 16-bit code segment which has run successfully on an 8086 processor or . 

- in real-mode on a 286 processor will have a D-bit which is clear and will not use 

operand-size override prefixes; therefore, it will use 16-bit versions of the CALL instruc- 

tion. The only modification needed to make a 16-bit procedure produce a 32-bit call is to 
relink the call to an Intel386/Intel486 CPU call gate. 


24.4.2.2 CHANGING SIZE OF A CALL 


When adding 32-bit gates to 16-bit procedures, it is important to consider the number of 
parameters. The count field of the gate descriptor specifies the size of the parameter 
string to copy from the current stack to the stack of the more privileged procedure. The 
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count field of a 16-bit gate specifies the number of words to be copied, whereas the count 
field of a 32-bit gate specifies the number of doublewords to be copied; therefore, the 
16-bit procedure must use an even number of words as parameters. 


24.4.3 Interrupt Control Transfers 


With a control transfer caused by an exception or interrupt, a gate is used. The operand- 
size attribute for the interrupt is determined by the gate descriptor in the interrupt 
descriptor table (IDT). 


An Intel386/Intel486 CPU interrupt or trap gate (descriptor type 14 or 15) to a 32-bit 
interrupt handler can be used to interrupt either 32-bit or 16-bit procedures. However, 
sometimes it is not practical to permit an interrupt or exception to call a 16-bit handler 
when 32-bit code is running, because a 16-bit interrupt procedure has a return offset of 
only 16 bits saved on its stack. If the 32-bit procedure is running at an address beyond 
OFFFFH, the 16-bit interrupt procedure cannot provide the return address. 


(24.4.4 Parameter Translation 


When segment offsets or pointers (which contain segment offsets) are passed as param- 
eters between 16-bit and 32-bit procedures, some translation is required. If a 32-bit 
procedure passes a pointer to data located beyond 64K to a 16-bit procedure, the 16-bit 
_ procedure cannot use it. Except for this limitation, interface code can perform any for- 
mat conversion between 32-bit and 16-bit pointers which may be needed. 


Parameters passed by value between 32-bit and 16-bit code also may require translation 
between 32-bit and 16-bit formats. The form of the translation is application-dependent. 


24.4.5 The Interface Procedure 


Placing interface code between 32-bit and 16-bit procedures can be the solution to sev- 
eral interface problems: | 


o Allowing procedures in 16-bit segments to call procedures with offsets greater than 
OFFFFH in 32-bit segments. 


0 Matching operand size between CALL and RET instructions. 


o Translating parameters (data). 


The interface code is simplified where these restrictions are followed. 


o Interface code resides in a code segment whose D-bit is set, which indicates a default 
operand size of 32-bits. 


o All procedures which may be called by 16-bit procedures have offsets which are not 
greater than OFFFFH. 


o All return addresses saved by 16-bit procedures also have offsets not greater than 
OFFFFH. 
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The interface code becomes more complex if any of these restrictions are violated. For 
example, if a 16-bit procedure calls a 32-bit procedure with an entry. point beyond 
OFFFFH, the interface code will have to provide the offset to the entry point. The 
mapping between 16- and 32-bit addresses only is performed automatically when a call 
gate is used, because the descriptor for a call gate contains a 32-bit auatess, When a call 
gate is not used, the descriptor must provide the 32-bit address. 


The interface code calls procedures in other aoe There may be two kinds of 
interface: 


o Where 16-bit procedures call 32-bit procedures. The interface code is called by 16-bit 
CALL instructions and uses the operand-size prefix before RET instructions for per- 
forming a 16-bit RET instruction. Calls to 32-bit segments are 32-bit CALL instruc- 
tions (by default, because the D “bit is set), and the 32-bit. code returns with 32-bit 

RET instructions. 


o Where 32-bit procedures call 16-bit procedures. The interface code is called by 32-bit 
CALL instructions, and returns with 32-bit RET instructions (by default, because the 
D-bit is set). CALL instructions to 16-bit procedures use the operand-size prefix; 
16-bit procedures return with 16-bit RET instructions. 
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 CHAPTER25 
COMPATIBILITY WITH THE 8087, 
Intel287 AND Intel387 MATH COPROCESSORS 


This chapter addresses the issues that must be faced when transporting numerical soft- 
ware to an Intel486 processor with integrated FPU from one of its predecessor systems. 
To software, the Intel486 processor looks very much like an Intel386 CPU/Intel387 math 
coprocessor system. Software which runs on an Intel386 CPU/Intel387 NPX system, 
whether it was originally created for the Intel386 CPU/Intel387 or was transported from 
a 286/Intel287 or 8086/8087 system, will run with at most minor modifications on the 
Intel486 processor. To transport code directly from a 286/Intel287 or 8086/8087 system 
to the Intel486 processor, certain additional issues must be addressed. Separate sections 
of this chapter are devoted to the differences between the Intel4s6 processor and each 
of its predecessors. 


05.1 DIFFERENCES FROM Intel386 CPU/Intel387 NPX SYSTEMS - 


This section summarizes those differences between the Intel386 CPU/Intel387 NPX SyS- 
‘tem and the Intel486 processor which may affect numerical software. — 


1. Control Register Bits: 


The ET (Extention Type) bit of the CRO control register is used in the Intel386 

- processor to indicate whether the math coprocessor in the system is an Intel287 
(ET=0) or an Intel387 DX (ET=1). This. bit is not used by Intel486 processes 
hardware. The ET bit is hardwired to “1.” 


The NE (Numeric Exception) bit of the CRO repister | is used in the Intel486 proces- 
sor to determine whether unmasked floating-point exceptions are reported inter- 

_ nally via interrupt vector 16 (NE=1) or through external interrupt (NE=0). On 
reset, the NE bit is initialized to 0, so software using the automatic internal error- 
reporting mechanism must set this bit to 1. 


As on the 286 and Intel386 processors, the MP ee bit of the 

__ CRO control register determines whether WAIT instructions trap when the context 
of the FPU is different from that of the currently-executing task. If MP=1 and 
TS=1, then a WAIT instruction will cause a Device Not Available fault (interrupt 
vector 7). The MP bit is used on the 286 and Intel386 microprocessors to support 
the use of a WAIT instruction to wait on a device other than a numeric coprocessor. 
The device reports its status through the BUSY# pin. Since the Intel486 processor 
does not have such a pin, the MP bit has no relevant use, and should be set to 1 for 
normal operation. 


Z Initialization and RESET: 


Upon hardware RESET, the floating-point registers will remain unchanged unless 

the Built-In Self-Test (BIST) is requested. When the BIST is requested, hardware 
RESET has almost the same effect as the FINIT instruction; the only difference is 
that FINIT leaves the stack registers unchanged, while hardware RESET with BIST 
resets them to 0. 


25-1 


intel » COMPATIBILITY WITH THE 8087, Intel287 AND Intel387 COPROCESSORS 


Upon hardware RESET or FINIT, the Intel387 math coprocessor signals an error 
condition. The Intel486 processor, like the Intel287 coprocessor, does not. 


On the Intel486 processor, the FINIT instruction clears the error pointers cals and 
instruction). 


3. Exceptions: 


On the Intel486 processor, an undefined ESC opcode will cause an ‘Illegal Opcode 
exception (interrupt vector 6). Undefined ESC opcodes, like legal ESC opcodes, 

- cause a Device Not Available exception (interrupt vector 7) when either the TS or 
the EM bit of CRO is set. The Intel486 processor does not check for Beane point 
error conditions on encountering an undefined ESC opcode. - 


A misaligned data operand will cause an alignment exception (interrupt vector 17) 
in level 3 software, except for the stack portion of an FSAVE/FRSTOR operation. 


On the Intel486 processor, a WAIT instruction will sometimes be executed as NOP. 
This happens when the WAIT precedes an instruction which itself waits anywhere in 
the course of its execution. In such a case, the report of a numeric exception may 
come one instruction later on the Intel486 processor than on an Intel386 CPU/ 
Intel387 NPX system. : 


On the Intel486 processor, when the first half of an operand to be written is inside a 
page or segment and the second half is outside, a memory fault can cause the first. 
half to be stored without the second, In such cases, nee CPU/Intel387 NPX 
systems store nothing. 


On the Intel486 processor, when. a segment fault occurs in the middle of an 
FLDENV operation, it can happen that part of the environment is loaded and part 
not. In such cases, the FPU control word is left with a value of OO7F H. 


Interrupt 9 does not occur in the Intel486 processor. In cases where the Intel387 
would cause interrupt 9, the Intel486 processor simply aborts the instruction. Some 
care is necessary, however. Memory faults (especially page faults), if they occur in 
FLDENV or FRSTOR while the operating system is performing a task switch, can 
cause the floating-point environment to be lost. Intel strongly omen that the 
floating-point save area be the same page as the TSS. 


4. Transcendental Instructions: 


On the Intel486 processor, transcendental instructions can be dhoited at certain 
checkpoints during execution if an INTR is pending. Transcendental instructions 
should therefore be used only in an environment where INTRs are not poxcoled to 
come as close as 200 clocks apart. 


25.2 DIFFERENCES E AGH sae nAIsby CVE IEE 


This section summarizes the differences between Intel486 processor and Intel386 CPU/ 
Intel387 math coprocessor systems on the one hand, and 286/Intel287 and 8086/8087 
systems on the other, and analyzes the impact of these differences on software that must 
be transported from a 286/Intel287 system to the Intel486 processor. Any migration 
directly from ee 8086/8087 must also take into account the pogecue issues addressed 
in Section 25.3. | oe | 7 
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25.2.1 Data Types and Exception Handling 


Difference Description 


Pseudozero, 
Pseudo-NaN, 
Pseudoinfinity, 
and Unnormail - 
Formats 


Tag Word Bits 
for Unsupported 
Data Formats , 


Invalid-Operation 
Exception 


Reason 


Intel486™ CPU/ 
Intel387"™ NPX 
Behavior | 


The Intel486 CPU/ 
Intel387 NPX distin- 
guishes between | 


signaling NaNs and 


quiet NaNs. The 


Intel486 CPU/Intel387 _ 


NPX only generates — 


‘quiet NaNs. An invalid- 
operation exception is 


raised only upon 
encountering a signal- 
ing NaN (except for 
FCOM, FIST, and 
FBSTP which also 
raise IE for quiet 
NaNs). : 


The Intel486 CPU/ 
Intel387 NPX neither 
generates nor sup- . 
ports these formats; it 
raises an invalid- — 
operation exception 
whenever it encoun- . 
ters them in an arith- 
metic operation. 


The encoding in the 
tag word for the 
unsupported data for- 


| mats mentioned in 
- Section 25.2.1 is ‘“spe- 


cial data” (type 10). 


No invalid-operation 
exception is raised 
upon encountering a. 
denormal in FSQRT, 
FDIV, or FPREM or 


- upon conversion to 


BCD or to integer. The 
operation proceeds by 
first normalizing the 
value. 


-Intel287 ™ /8087 
CPU Behavior 


‘| The Intel287/ 


8087 CPU only 
generates one 
kind of NaN (the 
equivalent of a 
quiet NaN) but 
raises an invalid- 
operation excep- 
tion upon 
encountering any 
kind of NaN. 


i The Intel287/ 


8087 CPU 
defines and sup- 


ports special 


handling for 


‘these formats. 


The encoding for 
_| pseudo-zero and 


unnormal is 


“valid” (type 00); 


the others are 
“special data’”’ 


(type 10). 


Upon encounter- 
ing a denormal 
in FSQRT, FDIV, 
or FPREM or 
upon conversion 
to BCD or to 
integer, the 
invalid-operation 
exception is 
raised. 


25-3 


Impact on 
Software 


Uninitialized 
memory loca- 
tions that contain 
QNaNs should 
be changed to 
SNaNs to cause 
the Intel486 
CPU/Intel387 
NPX to fault 


when uninitial-- 


ized memory — 
locations are 
referenced. 


None. The 
Intel486 CPU/ 
Intel387 DX does 
not generate 
these formats, 
and therefore will 
not encounter | 
them unless a 
programmer 
deliberately 
enters them. 


The exception 
handler may | 
need to be | 
changed if pro- 
grammers. use 
such data types. 


None. Software 
on the Intel486 
CPU/Intel387 
NPX will continue 
to execute in 
cases where the 


 Intel287/8087 — 
‘| CPU would trap. 


for the © 
Difference 


[EEE Stan- 
dard 754 
compatibility. 


IEEE Stan- 
dard 754 
compatibility. 


IEEE Stan- 
dard 754 
compatibility. 


Upgrade, to 
eliminate 
exception. 
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Denormal 


Exception 


- Overflow 
Exception 


Difference Description 


Intel486™ CPU/ — 
Intel387™ NPX 
Behavior 


The denormal excep- - 
tion is raised in tran- — 
scendental instructions 
and FXTRACT. 


Overflow exception 


masked. 


If the rounding mode. 
is set to chop (toward 
zero), the result is the - 


most positive or more . | 


negative number. 


Intel287 ™ /8087 
- CPU Behavior 


The denormal _ 


exception is not 
raised in tran- 
scendental 


| instructions and 
| FXTRACT. 
| Overflow excep- 
| tion masked. 


The Intel287/ 


8087 CPU does. 


not signal the 
overflow excep- 
tion when the ~ 
masked 
response is not 
infinity; i.e., it 
signals overflow 
only when the 


rounding control - 


is not set to 


- round to zero. If — 


@ rounding is set: 


= zero), the result ~ 


Overflow exception 
not masked. 


| The precision excep- 
tion is flagged. When 


the result is stored in © 


the stack, the signifi- 
cand is rounded - 
according to the preci- — 


sion control (PC) bit of 


the control word or | 


according tothe —— 


opcode. 


to chop (toward 


is positive or 


negative infinity. . , 


Overflow 


exception not. 
masked. 

| The precision 
exception is not 


flagged and the 
signficand is not 


rounded. : 


Impact on.- . 


_ Software — 


The exception 


handler needs to 
be changed only 
if it gives special 


treatment to dif- 
ferent opcodes. 


| Overflow excep- 


tion masked. 


Under the most 
common round- 
ing modes, no 

impact. If round- 


-ing is toward | 
| zero (chop), a 
|. program on the 


Intel486 CPU/ 
Intel387 NPX 
produces under 
overflow condi- 


‘tions a result that 


is different in. the 
least significant 


‘|. bit of the signifi- 


cand, compared 
to. the result on 
the Intel287. 
CPU. - 


Overflow 


_exception not 
masked. 


“If the result is 


stored onthe . 


stack, a program 


on the Intel486 
CPU/Intel387 
NPX produces a 


‘different result 


under overflow 


“conditions than 


on the Intel287/ 


8087 CPU. The 


difference is 
apparent only to 


the exception 


~ | handler. — 
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Reason. 
- forthe — 
Difference 


Performance 
enhance- 


ment for nor- - 


mal case. — 


IEEE Stan- 
dard 754 
compatibility. 
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Underflow 
Exception 


Two related 
events contribute 
to underflow: 


1. The creation 
tiny result. A 
tiny number, 
because it is 
so small, may 
cause some 
other 
exception 
later (Such as 
overflow upon 
division). 

. Loss of 
accuracy 
during the 
denormalization 
of a tiny 
number. 


Which of these 
events triggers 
the underflow 

| exception 
depends on 
whether the 
underflow 
exception is 
masked. 


Exception 
Precedence 


Intel486™ CPU/ 
Intel387™ NPX 
Behavior 


Conditions for under- 
flow. 


When the underflow - 
exception is masked, 
the underflow excep- 
tion is signaled when 
both the result is tiny 
and denormalization 
results.in a loss of 
accuracy. 


Response to 
underflow. 


When the underflow 


exception is unmasked: 


and the instruction is 
supposed to store the 
result on the stack, the 
significand is rounded 
to the appropriate pre- 
cision (according to 
the precision control 
(PC) bit of the control 
word, for those instruc- 
tions controlled by PC, 
otherwise to extended 
precision). 


There is no difference 
in the precedence of 
the denormal excep- 
tion, whether it be 


masked or not. 


Difference Description 


Intel287 ™ /8087 
CPU Behavior 


Conditions for 
underflow. 


When the under- 
flow exception is 
masked and 
rounding is 
toward zero, the 
underflow excep- 
tion flag is raised 
on tininess, 
regardless of 
loss of accuracy. 


Response to 
underflow. 


When the under- 


flow exception is _ 


not masked and 
the destination is 
the stack, the 
signficand is not 
rounded but 
rather is left as 
is. | 


When the denor- 
mal exception is 
not masked, it 
takes prece- 
dence over all 
other exceptions. 
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Reason 
for the 
Difference 


Impact on 
Software 


[IEEE Stan- 
‘dard 754 
compatibility. 


Underflow 
exception 
masked. | 


No impact. The 
underflow excep- 
tion occurs less 
often when 
rounding is 
toward zero. 


Underflow 
exception not 
masked. 


A program on 
the Intel486 
CPU/Intel387 
NPX produces a 
different result 
during underflow 
conditions than 
on the Intel287/ 
8087 CPU if the 
result is stored 
on the stack. The 
difference is only 
in the least sig- 
nificant bit of the 
significand and is 
apparent only to . 
the exception 
handler. 


None, but some 
unneeded nor- 
malization of 
denormal oper- - 
ands is pre- 
vented on the 
Intel486 
CPU/Intel387 NPX. 


Operational 
improvement. 
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25.2.2 Tag, Status, and Control Words 


Bits C3-CO > 
of Status 
Word 


Bit C2 of 
Status 
Word 


Infinity 
Control 


Status 

Word Bit 6 
for Stack - 

Fault 


Intel486™ CPU/ 
Intel387™ NPX 
Behavior 


After FINIT, incomplete 
FPREM, and hardware 
reset, these bits are 
set to zero. 


Bit 10 (C2) serves as 
an incomplete bit for 
FPTAN. | 


Only affine closure is 
supported. Bit 12 
remains programmable 
but has no effect on 
operation. 


When an invalid- 
operation exception 
occurs due to stack © 
overflow or underflow, 
not only is bit O (IE) of 
the status word set, 
but also bit 6 is set to 
indicate a stack fault 
and bit 9 (C1) speci- 


| fies overflow or under- 


flow. Bit 6 is called SF 
and serves to distin- 
guish invalid excep- 
tions caused by stack 
overflow/underflow 
from those caused by 
numeric operations. 


Difference Description 


Intel287™ /8087 


CPU Behavior — 


After FINIT, - 


incomplete — 


FPREM, and 
hardware reset, 
the Intel287/8087 
CPU leaves these 
bits intact (they 
contain the prior 
value). 


This bit is unde- 
fined for FPTAN. 


Both affine and 


“projective clo- 


sures are sup- 
ported. After 
RESET, the. 
default value in 


the control word © 


is projective. 


When an invalid- | 


operation excep- 
tion occurs due 
to stack overflow 
or underflow, only 
bit O (IE) of the 
status word is 
set. Bit 6 is 


‘RESERVED. 
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Impact on 
Software 


None. Programs 
don’t check C2 
after FPTAN. 


Software that 

requires projec- 
tive infinity arith- 
metic may give 
different results. 


None. Existing — 


exception han- 
dlers need not 
change, but may 
be upgraded to 


take advantage of 


the additional 
information. 
Newly written 
handlers will be 
more effective. 


Reason 
for the 
Difference 


Upgrade, to pro- 
vide consistent 


State after reset. 


Upgrade to allow 
fast checking of 
operand range. 


IEEE Standard 
754 compatibility. 


Upgrade and per- 
formance 
improvement. 
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Tag Word 


Intel486"™ CPU/ 
Intel387"™ NPX 
Behavior 


When loading the tag 
word with an FLDENV 
or FRSTOR instruction, 
the only interpretations 
of tag values are 
empty (value 11) and 
nonempty (values 00, 
01, and 10). Subse- 
quent operations ona 
nonempty register 
always examine the 
value in the register, 
not the value in its tag. 
The FSTENV and 
FSAVE instructions 
examine the nonempty 
registers and put the 
correct values in the 
tags before storing the 
tag word. 


Difference Description 


Intel287 ™ /8087 
CPU Behavior 


The correspond- 
ing tag is 
checked before 
each register 
access to deter- 
mine the class of 
operand in the 
register; the tag 
is updated after 
every change to a 
register so that 
the tag always 
reflects the most. 
recent status of 
the register. Pro- 
grammers can 
load a tag with a 
value that dis- 
agrees with the 
contents of a reg- 
ister (for example, 
the register con- 
tains valid con- 
tents, but the tag 
Says special; the 
Intel287/8087 
CPU, in this case, 
honors the tag 
and does not 
examine the 
register). 


Impact on 
_ Software 


Software may not 
operate correctly 
if it uses FLDENV 
or FRSTOR to 
change tags to | 
values (other than 
empty) that are 
different from 
actual register 
contents. 


Reason 
for the 
Difference 


Performance 
improvement. 
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25.2.3 Instruction Set 


FBSTP, FDIV, 
FIST(P), 
FPREM, 


FSCALE 


FPREM1 


FUCOM, 
FUCOMP, 
FUCOMPP 


Difference Description 


Intel486™ CPU/- 
Intel387™ NPX. 
Behavior 


Operation on denormal 
operand is supported. 
An underflow excep- 
tion can occur. 


The range of the scal- 
ing operand is not 
restricted. If 0 < | 
ST(1) | < 1, the scal- 
ing factor is zero; 
therefore, ST(0) 
remains unchanged. If 
the rounded result is. 
not exact or if there 
was a loss of accuracy 
(masked underflow), 
the precision excep- 
tion is signaled. 


Performs partial 
remainder according 
to IEEE Standard 754 
standard. 


Bits CO, C3, Ci of the 
status word, correctly 
reflect the three low- 
order bits of the 
quotient. 


Perform unordered 


compare according to 
IEEE Standard 754 
standard. 


Intel287 ™/8087 
CPU Behavior | 


Operation on— 
denormal oper- 
and raises 
invalid-operation . 
exception. 
Underflow is not 
possible. 


The range of the 
scaling operand 
is restricted. If 0 
<|ST(1)| <1, © 
the result is — 
undefined and | 
no exception is 


signaled. 


Does not exist. 


The quotient bits 
are incorrect 
when performing 
a reduction of 
64N+M when N 
=1andM=1 

or M=2. 


Do not exist. 


25-8 


impact on 
Software 


The exception 


handler for 


underflow may 
require change © 
only if it gives 
different treat- 


ment to different 


opcodes. Possi- 
bly fewer invalid- 


- Operation 


exceptions will 
occur. 


‘Different result 
whenO<|[ 
ST(1)| <1. - 


None. Software 
that works 
around the bug 
should not be 
affected. 


_ Reason 
for the 
Difference | 


IEEE 


Standard 754 


‘ compatibility. 


Upgrade. 


IEEE Standard 
754 compatibility — 
and upgrade. 


Upgrade. 


IEEE 
Standard 754 
compatibility. 
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FPTAN 


FSIN, FCOS, 
FSINCOS 


FPATAN 
F2XM1 


FLD 
extended-real 


FXTRACT 


‘If the operand is zero, 


Intel486™ CPU/ 
Intel387"™ NPX 
Behavior 


| Difference Description 


Intel287 ™ /8087 
CPU Behavior 


Reason 
for the 
Difference 


Impact on 
Software — 


Range of operand is 
much less restricted (| 
ST(0) | < 2°); reduces 
operand internally © 
using an internal 1/4 
constant that is more 
accurate. 


After a stack overflow 
when the invalid- 
operation exception is 
masked, both ST and 
ST(1) contain quiet 
NaNs. 


Perform three common 
trigonometric 
functions. 


Range of operands is 
unrestricted. 


Range of oper- 
and is restricted 
(| ST(O) | < 1/4); 
operand must 
be reduced to 
range using 
FPREM. 


After a stack 
overflow when 
the invalid- 
operation excep- 
tion is masked, 
the original 
operand remains 
unchanged, but 
is pushed to 
ST(1). 


Do not exist. 


| ST(0) | must be 
smaller than 
| ST(1) |. 


Upgrade. 


IEEE 
Standard 754 
compatibility. 


Upgrade. 


Upgrade. 


Wider range. of oper- 
and (—1<ST(0)< +1). 


Does not report denor- 
mal exception because 
the instruction is not 

arithmetic. 


the zero-divide excep- 
tion is reported and 
ST(1) is —oo. If the 
Operand is +, no 
exception is reported. 


The supported 
operand range 


| is O<ST(0)<0.5. 


Reports denor- 
mal exception. 


if the operand is 
zero, ST(1) is 
zero and no 
exception is 


‘reported. If the 


operand is +0, 
the invalid- 

operation excep- 
tion is reported. 
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Upgrade. 


Upgrade. 


IEEE 754 rec-: 
ommendation to 
fully support the 
logb function. - 


None. Software : 
usually 

_ bypasses zero: 
and , 
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| Difference Description _ 


Intel486™ CPU/_ 
Intel387™ NPX 
Behavior 


Reason 
for the 
Difference 


Impact on 
_ Software . 


Intel287 ™ /8087 
CPU Behavior 


IEEE 754 
recommendations. 


Results for 
FLDPI, FLDLN2, 
FLDLG2, and 
FLDL2E are the 
same as for the | 
8087/Intel287 
CPU when > 
rounding control 
jis set:to round 
to nearest or . 
round to +, 
They are the the 
same for 
FLDL2T when . 
rounding control . 
is set to round 
to nearest, 
round to -o, or 
round to:zero. 
Results are dif- 
ferent from the 
8087/Intel287 . 
CPU in-the | 
leaast significant 
bit of the man-. | 
tissa if rounding 
control is set to 
round to -» or 
round to 0 for 
FLDPI, FLDLN2, 
FLDLG2, and 
FLDL2E; they 
are diferent.for 
FLDL2T if round - 
to +o is 
specified. 


FLD constant | Rounding con- 
trol is not in 


effect. 


Rounding control is in 
effect. 


If the next ; 


PLO: eager Loading a denormal Loading a IEEE 

single/double | causes the number to denormal |. instruction is Standard 754 

precision be converted to causes the num- | FXTRACT or compatibility. 
extended precision ber to be con- FXAM, the 


Intel486 CPU/ 
Intel887 NPX will 
give a different 
result than the . 
Intel287/8087 
CPU. 


(because it is put on 
the stack). | 


verted to an 
unnormal. 


IEEE 
Standard 754 
compatibility. 


FLD When loading a signal- | Does not raise The exception 
single/double ing NaN, raises invalid | an exception handler needs 

precision exception. when loading a__| to be updated to 

signaling NaN. | handle this 

- | condition. 
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FSETPM 


All 
Transcendental 
Instructions 


Intel486™ CPU/ 
Intel387"™ NPX 
Behavior 


Treated as FNOP (no 


operation). 


Encountering an 
empty register will not 
generate combinations 
of C3-CO equal to 
1101 of 1111. 


May generate different 
results in round-up bit 
of status word. 


Difference Description 


Intel287 ™/8087 
CPU Behavior 


Informs the 
Intel287 CPU 
that the system 
is in protected 
mode. 


May generate 
these combina- 
tions, among 
others. 


Round-up bit of 
status word is 
undefined for 


Impact on 
Software 


Reason 
for the 
Difference 


The Intel486/ 
Intel386 CPU 
handles all 
addressing and 
exception- 
pointer informa- 
tion, whether in 
protected mode 
or not. 


Upgrade, to pro- 
vide repeatable 
results. 


Upgrade, to sig- 
nal rounding 
status. 


these 
instructions. 


25.3 DIFFERENCES FROM 8086/8087 SYSTEMS 


The Intel486 processor operating in real-address mode will execute 8087 programs with- 
out major modification. However, because of differences in the handling of numeric 
exceptions between the Intel486 processor and the 8087 NPX, exception-handling rou- 
tines may need to be changed. This section provides details showing how 8087 programs 
can be ported to the Intel486 processor. 


1. The 8087 requires an interrupt controller (8259A) to interrupt the CPU when an 
unmasked exception occurs. Therefore, any interrupt-controller-oriented instruc- 
tions in numeric exception handlers for the 8087 should be deleted. 


2. The 8087 instructions FENI/FNENI and FDISI/FNDISI perform no useful function 
in the Intel486 processor. If the Intel486 processor encounters one of these opcodes 
in its instruction stream, the instruction will effectively be ignored—none of the, 
Intel486 processor internal states will be updated. While 8087 code containing these 
instructions may be executed on the Intel486 processor, it is unlikely that the 
exception-handling -routines containing these instructions will be completely 

portable. 


3. In real mode and protected mode (not including virtual 8086 mode), interrupt vector 
16 must point to the numeric exception handling routine. In virtual 8086 mode, the 
V86 monitor can be programmed to accommodate a different location of the inter- 
rupt vector for numeric exceptions. | 
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. The ESC instruction address saved in the Intel486 processor includes any leading 


prefixes before the ESC opcode. The corresponding address saved in the 8086/8087 
does not include leading prefixes. 


. In protected mode (not including virtual 8086 mode), the format of the Intel486 


processor saved instruction and address pointers is different than for the 8087. The 
instruction opcode is not saved in protected mode — exception handlers will have to 
retrieve the opcode from memory if needed. 


. Interrupt 7 will occur in the Intel486 processor when executing ESC instructions 


with either TS (task switched) or EM (emulation) of the MSW set (TS=1 or 
EM = 1). If TS and MP are set, then a WAIT instruction will also cause interrupt 7. 
An exception handler should be included in Intel486 processor code to handle these 
situations. © 


. Interrupt 13 will occur if the starting address of a numeric operand falls outside a 


segment’ s size. An exception handler should be included to report these program- 
ming errors. 


. Except for the FPU control instructions, all of the Intel486 ‘processor numeric 
- instructions are automatically synchronized —the processor automatically waits until 
all operands have been transferred before executing the next ESC instruction. No 


explicit WAIT instructions are required to assure this synchronization. For the 8087 
used with 8086 and 8088 processors, explicit WAITs are required before each 
numeric instruction to ensure synchronization. Although 8087 programs having 
explicit WAIT instructions will execute perfectly on the Intel486 processor without 
reassembly, these WAIT instructions are unnecessary. 


. Since the Intel486 processor does not require WAIT instructions before each 


numeric instruction, the ASM386/486 assembler does not automatically generate 
these WAIT instructions. The ASM86 assembler, however, automatically precedes 


~ every ESC instruction with a WAIT instruction. Although numeric routines gener- 


ated using the ASM86 assembler will generally execute correctly on the Intel486 


_ processor, reassembly using ASM386/486 eee in a more compact code image 


and faster execution. 


The control instructions for the Intel486 FPU can be coded using sither a WAIT or 
No-WAIT form of mnemonic. The WAIT forms of these instructions cause 
ASM386/486 to precede the ESC instruction with a WAIT instruction, in the iden- 


~ tical manner as does ASM86. 


10. 


11. 


The address of a memory operand stored by FSAVE or FSTENV is undefined if the 


previous ESC instruction did not refer to memory. 


Because the Intel486 processor automatically normalizes denormal numbers when 
possible, an 8087 program that uses the denormal exception solely to normalize 
denormal operands can run on an Intel486 processor by masking the denormal 
exception. The 8087 denormal exception handler would not be used by the Intel486 


- processor in this case. A numerics program runs faster when the Intel486 pros 
performs normalization of denormal operands. 
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CHAPTER 26 | 
INSTRUCTION SET 


This chapter presents instructions for the Intel486 processor in alphabetical order. For 
each instruction, the forms are given for each operand combination, including object 
code produced, operands required, execution time, and a description. For each instruc- 
tion, there is an operational description and a summary of exceptions generated. 


26.1 OPERAND-SIZE AND ADDRESS-SIZE ATTRIBUTES 


When executing an instruction, the Intel486 processor can address memory using either 
16 or 32-bit addresses. Consequently, each instruction that uses memory addresses has 
associated with it an address-size attribute of either 16 or 32 bits. The use of 16-bit 
addresses implies both the use of 16-bit displacements in instructions and the generation - 
of 16-bit address offsets (segment relative addresses) as the result of the effective 
address calculations. 32-bit addresses imply the use of 32-bit displacements and ‘the 
generation of 32-bit address offsets. Similarly, an instruction that accesses words 
(16 bits) or doublewords (32 bits) has an operand-size attribute of either 16 or 32 bits. 


The attributes are determined by a combination of defaults, instruction prefixes, and 
(for programs executing in protected mode) size- e-specification bits in segment 
descriptors. | | 


26.1.1 Default Segment Attribute — 


For programs running in protected mode, the D bit in executable-segment descriptors 
specifies the default attribute for both address size and operand size. These default 
attributes apply to the execution of all instructions in the segment. A clear D bit sets the 
default address size and operand size to 16 bits; a set D bit, to 32 bits. 


Programs that execute in real mode or virtual- 8086 mode have 16-bit addresses and 
operands by default. 7 | 


26.1.2 Operand-Size and Address-Size Instruction Prefixes 


The internal encoding of an instruction can include two byte-long prefixes: the address- 
size prefix, 67H, and the operand-size prefix, 66H. (A later section, “Instruction For- 
mat,” shows the position of the prefixes in an instruction’s encoding.) These prefixes 
override the default segment attributes for the instruction that follows. Table 26-1 shows 
the effect of each possible combination of defaults and overrides. 
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Table 26-1. Effective Size Attributes 


sstensmrenor [x |+txty[w|r] |» 


eseonason [tele |=l#|=|~el]w 
[Cencwersionses fe fe |wlefefel=[« 


Y = Yes, this instruction prefix is present 
N = No, this instruction prefix is not present 


26.1.3 Address-Size Attribute for Stack 


Instructions that use the stack implicitly (for.example: POP EAX) also have a stack 
address-size attribute of either 16 or 32 bits. Instructions with a stack address-size 
attribute of 16 use the 16-bit SP stack pointer register; instructions with a stack address- 
size attribute of 32 bits use the 32-bit ESP register to form the address of the top of the 
stack. | | 


The stack address-size attribute is controlled by the B bit of the data-segment descriptor 
in the SS register. A value of zero in the B bit selects a stack address-size attribute of 16; 
a value of one selects a stack address-size attribute of 32. 


26.2 INSTRUCTION FORMAT 


All instruction encodings are subsets of the general instruction format shown in 
Figure 26-1. Instructions consist of optional instruction prefixes, one or two primary 
opcode bytes, possibly an address specifier consisting of the ModR/M byte and the SIB 
(Scale Index Base) byte, a displacement, if required, and an immediate data field, if 

required. : _— | | 


INSTRUCTION ADDRESS: _— OPERAND- SEGMENT 
PREFIX . SIZE PREFIX SIZE PREFIX OVERRIDE 


NUMBER OF BYTES | 
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Figure 26-1. Intel486™ Processor Instruction Format. 
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Smaller encoding fields can be defined within the primary opcode or opcodes. These 
fields define the direction of the operation, the size of the displacements, the register 
encoding, or sign extension; encoding fields vary depending on the class of operation. 


Most instructions that can refer to an operand in memory have an addressing form byte 
following the primary opcode byte(s). This byte, called the ModR/M byte, specifies the 
address form to be used. Certain encodings of the ModR/M byte indicate a second 
addressing byte, the SIB (Scale Index Base) byte, which follows the ModR/M byte and is 
required to fully specify the addressing form. 


Addressing forms can include a displacement immediately following either the ModR/M 
or SIB byte. If a displacement is present, it can be 8-, 16- or 32-bits. 


If the instruction specifies an immediate operand, the immediate operand always follows 
any displacement bytes. The immediate operand, if specified, is always the last field of 
the instruction. 


The following are the allowable instruction prefix codes: 


F3H REP prefix (used only with string instructions) 

F3H REPE/REPZ prefix (used only with string instructions) — 
F2H REPNE/REPNZ prefix (used only with string instructions) — 
FOH LOCK prefix 


The following are the segment override prefixes: 


2EH — CS segment override prefix 
36H SS segment override prefix 
- 3EH ~ - DS segment override prefix 
26H ES segment override prefix 
64H FS segment override prefix 
65H GS segment override prefix 
66H Operand-size override 
67H Address-size override 


26.2.1 ModR/M and SIB Bytes 

The ModR/M and SIB bytes follow the opcode byte(s) in many of the Intel486 processor 
instructions. They contain the following information: 

e The indexing type or register number to be used in the instruction 

e The register to be used, or more information to select the instruction 


e The base, index, and scale information 


The ModR/M byte contains three fields of information: 


e The mod field, which occupies the two most significant bits of the byte, combines with 
the r/m field to form 32 possible values: eight registers and 24 indexing modes. 
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e The reg field, which occupies the next three bits following the mod field, specifies 
either a register number or three more bits of opcode information. The meaning ot 
_ the reg field is determined by the first (opcode) byte of the instruction. 


e The r/m field: which occupies the three least significant bits of the byte, can specify a 
register as the location of an operand, or can form part of the addressing- node 
encoding in combination with the mod field as described above. 


The based indexed and scaled indexed forms of 32- bit addressing require the SIB byte. 
The presence of the SIB byte is indicated by certain ene of the OE byte. a 
SIB byte then includes the following fields: 


e The ss field, which i me two most enue bits of the Pye specifies the 
scale factor. , 


e The index field, which occupies the next three bits following the ss ines and specifies 
the register number of the index register. 


e The base field, which occupies the three least significant bits of the byte, specifies the 
register number of the base register. oe | | 


Figure 26-2 shows the formats of the ModR/M and SIB bytes. 


The values and the corresponding addressing forms of the ModR/M and SIB bytes are 
shown in Tables 26-2, 26-3, and 26-4. The 16-bit addressing forms specified by the 
ModR/M byte are in Table 26-2. The 32-bit addressing forms specified by the ModR/M 
byte are in Table 26-3. Table 26-4 shows the 32- bit cia ee: — aoa by the SIB 
byte. | 


MODRI/M BYTE 
7 6 5 4 3 2 1 


| mop |REGiopcopE| RIM 


- §1B (SCALE INDEX BASE) BYTE 


_ 240486i26-2 


- Figure 26-2. ModR/M and SIB Byte Formats 
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Table 26-2. 16-Bit Addressing Forms with the ModR/M Byte 


r8(/r) | CL DL BL AH CH DH BH 
r16(/r) CX DX BX SP BP SI DI 
r32(/r) ECX | EDX | EBX | ESP | EBP ESI EDI 
/digit (Opcode) 7 | 2 3 4 5 6 7 
REG = : 001 010 011 100 101 110 111 


Effective Mod R/M |: ModR/M Values in Hexadecimal 
Address | | 


[BX+ Sl] 
[BX +- Dl] 
[BP + Sl] 
[BP + Dl] 
[Sl] 

[D1] 
disp16 
[BX] 


[BX + Sl] + disp8 
[BX + Dl] + disp8 
[BP + Sl] + disp8 
[BP + Dl] + disp8 


[Sl] + disp8 
[DI] + disp8 
[BP] + disp8 
[BX] + disp8 


[BX+ Sl] + disp16 
[BX + Dl] + disp16. 
[BP +Sl] +disp16 
_([BP+DI]+disp16 
[Sl] + disp16 
[DI] + disp16 
[BP]+dispi6 | 
[BX] +disp16 | 


EAX/AX/AL 
ECX/CX/CL 
EDX/DX/DL 
EBX/BX/BL 
ESP/SP/AH 
EBP/BP/CH 
ESI/SI/DH 
EDI/DI/BH 


NOTES: disp8 denotes an 8-bit displacement following the ModR/M byte, to be sign-extended and added 
to the index. disp16 denotes a 16-bit displacement following the ModR/M byte, to be added to the 
index. Default segment register is SS for the effective addresses containing a BP index, DS for 
other effective addresses. 
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Table 26-3. $2: Bit Addressing Forms with the ModR/M Byte 


r8(/r) | AL | CL | DL | BL 
ri6(/r) AX | CX DX BX 
r32(/r) 2 me, EAX ECX | EDX | EBX ESP eoP 
/digit (Opcode) | 0 1 a 3 
REG = _.. a | — 000 001 010 011 ‘a ) Be 


Effective Mod R/M ae, | ModR/M Values in Hexadecimal 
Address 


disp8[EAX] 
disp8[ECX] | 
disp8[EDX] 
disp8[EBX]; 
disp8[--][--] ~ 
disp8[EBP] 
disp8[ESI] 
disp8[EDI] 


disp32[EAX] | 
disp32[ECX] 
disp32[EDX] 
disp32[EBX] 
disp32[--][--] 
disp32[EBP]. 
disp32[ESI] 
disp32[EDI] . 


EAX/AX/AL 
ECX/CX/CL 
EDX/DX/DL 
EBX/BX/BL | 
ESP/SP/AH 
EBP/BP/CH 
ESI/SI/DH 
EDI/DI/BH 


NOTES: ‘[--][--] means a SIB follows the ModR/M Bite ‘ane ae 
. _#disp8 denotes an 8-bit displacement following the SIB byte, to be sign- -extended and added to 
the index. disp32 denotes a 32-bit displacement following the SIB byte, to be added to the index. 
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Table 26-4. 32-Bit Addressing Forms with the SIB Byte 


EAX EBX | ESP EDI 
0 3 4 7 
000 011 100 111 


Scaled Index SS Index SIB Values in Hexadecimal 


[EAX*2] 
[ECX*2] 
[ECX*2] 
[EBX*2] 
none 
[EBP*2] 
[ESI*2] 
[EDI*2] 


[EAX*4] 
[ECX*4] 
[EDX*4] 
[EBX*4] 
none 
[EBP*4] 
[ESI*4] 
[EDI*4] 


[EAX*8] 
[ECX*8] 
[EDX*8] 
[EBX*8] 
none 
[EBP*8] 
[ESI*8] 
[EDI*8] 


NOTES: [*] means a disp32 with no base if MOD is 00, [EBP] otherwise. This provides the following 
addressing modes: 
disp32[index] (MOD =00) 
disp8[EBP] [index] (MOD =01) 
disp32[EBP] [index] (MOD = 10) 
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26.2.2 How to Read the Instruction Set —o 


The following is an example of the format used for each Intel486 | processor instruction 
description in this chapter: — | | 


CMC — steels Carry Flag 


The above table is followed by paragraphs labelled “Operation,” “Description,” “Flags 
Affected,” “Protected Mode Exceptions,” “Real Address Mode Exceptions,” and, 
optionally, “Notes.” The following sections explain the notational conventions and 
abbreviations use in these patagrapns of the instruction n descriptions. 


26.2.2.1 OPCODE COLUMN - 


The “Opcode” column gives the complete object code produced for each form of the 
instruction. When possible, the codes are given as hexadecimal bytes, in the same order 
in which they appear in memory, Definitions of entries other than hexadecimal oye are 
as follows: | oo 7 | 


/digit: (digit is between 0 and 7) indicates that the ModR/M byte of the instruction uses 
only the r/m (register or memory) operand. The reg field contains the digit that provides 
an extension to the instruction’s opcode. 


/r: indicates that the ModR/M byte of the instruction contains both a register operand 
and an r/m operand. | 


cb, ew, ed, cp: a 1-byte (cb), 2-byte (cw), 4-byte (cd) or 6-byte (cp) value following the 
opcode that is used to specify a code offset and possibly a new value for the code 
segment register. : 


ib, iw, id: a 1-byte (ib), 2-byte (iw), or 4-byte (id) immediate operand to the instruction 
that follows the opcode, ModR/M bytes or scale-indexing bytes. The opcode determines 
if the operand is a signed value. All words and doublewords are given with the low-order 
byte first. | | 
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+rb, +rw, +rd: a register code, from 0 through 7, added to the hexadecimal byte given 
at the left of the plus sign to form a single opcode byte. The codes are — 


| rb rw rd 
AL = 0 AX = 0 EAX = 0 
CL = 1 CX 1 ECX = 1 
DL = 2 DX = 2 EDX a 2 
BL = 3 BX = 3 EBX = 3 

rb rw rd 
- AH: = 4 SP = 4 ESP = 4 
CH = 5 BP = 5 EBP = 5 
DH = 6 Sl = 6 ESI = 6 
BH = f DI 7 EDI 7 


+i: used in floating-point instructions when one of the operands is ST(i) from the FPU 
register stack. The number i (which can range from 0 to 7) is added to the hexadecimal 
byte given at the left of the plus sign to form a single opcode byte. 


26.2.2.2 INSTRUCTION COLUMN 


The “Instruction” column gives the syntax of the instruction statement as it would 
appear in an ASM386 program. The following is a list of the symbols used to represent 
operands in the instruction statements: 


rel8: a relative address in the range from 128 bytes before the end of the instruction to 
127 bytes after the end of the instruction. 


rell6, rel32: a relative address within the same code segment as the instruction assem- 
bled. rel16 applies to instructions with an operand-size attribute of 16 bits; rel32 applies 
to instructions with an operand-size attribute of 32 bits. 


ptr16:16, ptr16:32: a far pointer, typically in a code segment different from that of the 
instruction. The notation 16:16 indicates that the value of the pointer has two parts. The 
value to the left of the colon is a 16-bit selector or value destined for the code segment 
register. The value to the right corresponds to the offset within the destination segment. 
ptr16:16 is used when the instruction’s operand- size attribute is 16 bits; ptr16:32 is used 
with the 32-bit attribute. | 


r8: one of the byte registers AL, CL, DL, BL, AH, CH, DH, or BH. 
r16: one of the word registers AX, CX, DX, BX, SP, BP, SI, or DI. 
r32: one of the doubleword registers EAX, ECX, EDX, EBX, ESP, EBP, ESI, or EDI. 
imm8: an immediate byte value. imm§8 is a sied number between: -128 and +127 
inclusive. For instructions in which imm§8 is combined with a word or doubleword oper- 


and, the immediate value is sign-extended to form a word or doubleword. The upper 
byte of the word is filled with the topmost bit of the immediate value. 
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imm16: an immediate word value used for instructions whose operand-size attribute is 
16 bits. This is a number between —32768 and +32767 inclusive. 


imm32: an immediate doubleword value used for instructions whose operand-size 
attribute is 32-bits. It allows the use of a number between + 2147483647 and 
—2147483648 inclusive. 


r/m8: a one-byte operand that is either the contents of a byte register (AL, BL, CL, DL, 
AH, BH, CH, DH), or a byte from memory. 


r/m16: a word register or memory operand used for instructions whose operand-size 
attribute is 16 bits. The word registers are: AX, BX, CX, DX, SP, BP, SI, DI. The 
contents of memory are found at the address provided by the effective address 
compen | 


r/m32: a doubleword register or memory operand used for instructions whose operand- 

size attribute is 32-bits. The doubleword registers are: EAX, EBX, ECX, EDX, ESP, 

EBP, ESI, EDI. The contents of memory are found at the address provided by the 
effective address computation. 


m: a 16 or 32-bit memory operand. 


m8: a memory byte addressed by DS:[E]SI or ES:[E]DI (used only by string instruc- 
tions). 


m16: a memory word addressed by DS: [E]SI or ES: [E]DI (used only by string instruc- 
tions). > | 


m32: a memory poner addressed by DS:[E]SI or ES: [E]DI (used ony. by string 
instructions). 


m16:16, m16: 32: a memory operand containing a far pointer nee of two numbers. 
The number to the left of the colon corresponds to the pointer’s segment selector. The 
number to the right corresponds to its offset. 


m16&32, m16&16, m32&32: a memory operand consisting of data item pairs whose sizes 
are indicated on the left and the right side of the ampersand. All memory addressing 
modes are allowed. m16&16 and m32&32 operands are used by the BOUND instruction 
to provide an operand containing an upper and lower bounds for array indices. m16&32 
is used by LIDT and LGDT to provide a word with which to load the limit field, and a 
doubleword with which to load the base field-of the corresponding Global and Interrupt 
Descriptor Table Registers. 


moffs8, moffs16, moffs32: (memory offset) a simple memory variable of type BYTE, 
WORD, or DWORD used by some variants, of the MOV instruction. The actual address 
is given by a simple offset relative to the segment base. No ModR/M byte is used in the 
instruction. The number shown with moffs indicates its size, which is eelohenee by the 
address- -size attribute of the instruction. 
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_Sreg: a segment register. The segment register bit assignments are ES=0, CS=1, SS=2, 
DS=3, FS= 4, and GS= 5; | 


m32real, m64real, m80real: (respectively) single-, double-, and extended-real floating- 
point operands in memory. 


m16int, m32int, m64int: (respectively) word-, short-, and long-integer floating-point 
operands i in memory. 


mNbyte: N-byte floating-point operand in memory. 
ST or ST(0): a0p element of the FPU register stack. 


ST(i): i element from the sop of the FPU register stack. (i=0. 1D 


26.2.2.3 CLOCKS COLUMN 

The “Clocks” column gives the approximate number of clock cycles the instruction takes 
to execute. The clock count calculations makes the following assumptions: 

o Data and instruction accesses hit in the cache. 

o The target of a jump instruction is in the cache. 

0 No invalidate cycles contend with the instruction for use of the cache. 

o Page translation hits in the TLB. 

0 Memory operands are aligned. 


e Effective address calculations use one base register and no index register, and the 
base register is not the destination register of the preceding instruction. 


o Displacement and immediate are not used together. 
e No exceptions are detected during execution. 


e There are no write-buffer delays. 


For a discussion of the performance penalties incurred when these conditions do not 
hold, see Appendix E. 


The following symbols are used in the clock count specifications: 
e n, which represents a number of repetitions. 


e m, which represents the number of components in the next instruction eceated: 

where the entire displacement (if any) counts as one component, the entire immedi- 

ate data (if any) counts as one component, and every other byte of the instruction and 
prefix(es) each counts as one component. 


e pm=, a clock count that applies when the instruction executes in Protected Mode. 
pm = is not given when the clock counts are the same for Protected and Real Address 
Modes. 3 
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When an exception occurs during the execution of an instruction and the exception. 
handler is in another task, the instruction execution time is increased by the number of 
clocks to effect a task switch. This parameter depends on several factors: 


° The type of TSS used to represent the new task (Intel486 CPU TSS or 80286 TSS). 
e Whether the current task is in V86 mode. | 

© Whether the new task is in V86 mode. 

e Whether accesses hit in the cache. | 

e Whether a task gate on an interrupt/trap gate is used. 


Table 26-5 summarizes the task switch times for exceptions, assuming cache hits and the 
use of task gates. For full details, see Appendix E. | | 


26.2.2.4 DESCRIPTION COLUMN 


The “Description” column following the “Clocks” column briefly explains the various 
forms of the instruction. The “Operation” and “Description” sections contain more 
details of the instruction’s operation. Se 


26.2.2.5 OPERATION. 


The “Operation” section contains an algorithmic description of the instruction which 
uses a notation similar to the Algol or Pascal language. The algorithms are composed of 
the following elements: | 


Comments are enclosed within the symbol pairs a and “*)”. 


Compound statements are enclosed between the keywords of the “if” statement (IF, | 
THEN, ELSE, FI) or of the “do” statement (DO, OD), or of the “case” statement 
(CASE ... OF, ESAC). | | | 


A register name implies the contents of the register. A register name enclosed in brack- 
ets implies the contents of the location whose address is contained in that register. For 
example, ES:[DI] indicates the contents of the location whose ES segment relative 
address is in register DI. [SI] indicates the contents of the address contained in register 
SI relative to SI’s default segment (DS) or overridden segment. : 7 


Table 26-5. Task Switch Times for Exceptions 


- New Task 


Old Task | — 
7 | | to Intel486™ CPU TSS to 80286 TSS_ | toVMTSS . 
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Brackets are also used for memory operands, where they mean that the contents of the 
memory location is a segment-relative offset. For example, [SRC] indicates that the 
contents of the source operand is a segment-relative offset. 


A < B; indicates that the value of B is assigned to A. 


The symbols =, <>, 2, and s are relational operators used ‘to compare two values, 
meaning equal, not equal, greater or equal, less or equal, respectively. A relational 
expression such as A = B is TRUE if the value of A is equal to B; otherwise it is 
FALSE. | 


The following identifiers are used in the algorithmic descriptions: 


e OperandSize represents the operand-size attribute of the instruction, which is either 
16 or 32 bits. AddressSize represents the address-size attribute, which i is either 16 or 
32 bits. For example, 


IF instruction = CMPSW 
THEN OperandSize < 16; 
ELSE 
IF instruction = CMPSD 
THEN OperandSize < 32; 
Fl; 
FI; 
indicates that the operand-size attribute depends on the form of the CMPS instruc- 
tion used. Refer to the explanation of address-size and operand-size attributes at the 
beginning of this. chapter for general guidelines on how these attributes are 
determined. 
e StackAddrSize represents the stack address-size attribute associated with the instruc- 
tion, which has a value of 16 or 32 bits, as explained earlier in the chapter. 
e SRC represents the source operand. When there are two operands, SRC is the one on 
the right. | 
e DEST represents the destination ea When there are two operands, DEST is 
the one on the left. 
0 LeftSRC, RightSRC distinguishes between two operands when both are source 
operands. 
e eSP represents either the SP register or the ESP eee depending o on the setting of 
the B-bit for the current stack segment. 


The following functions are used in the algorithmic descriptions: 

e Truncate to 16 bits(value) reduces the size of the value to fit 1 in 16 bits by discarding 
the uppermost bits as needed. | 

e Addr(operand) returns the effective address of the operand (the result of the effec- 
tive address calculation prior to adding the segment base). 

e ZeroExtend(value) returns a value zero-extended to the operand-size attribute of the 
instruction. For example, if OperandSize = 32, ZeroExtend of a byte value of —10 
converts the byte from F6H to doubleword with hexadecimal value QOOOOOOF6H. If the 
value passed to ZeroExtend and the operand-size attribute are the same size, 
ZeroExtend returns the value unaltered. 
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e SignExtend(value) returns a value sign-extended to the operand-size attribute of the 

instruction. For example, if OperandSize = 32, SignExtend of a byte containing the 

- value —10 converts the byte from F6H to a doubleword with hexadecimal value 

FFFFFFF6H. If the value passed to SignExtend and the operand-size attribute are 
the same size, SignExtend returns the value unaltered. 


e Push(value) pushes a value onto the stack. The number of bytes pushed is deter- 
mined by the operand-size attribute of the instruction. The action ay Push Is as 
follows: — 


IF StackAddrSize = 16 
THEN | 
IF OperandSize = 16 
_ THEN .. 
| SP <— SP - 2; 
SS:[SP] < value; (* 2 bytes assigned starting at 
byte address in SP *) | 
ELSE (* OperandSize = 32 *) 
SP <— SP — 4; 
SS:[SP] < value; (* 4 bytes assigned starting at © 
byte address in SP *) | 
Fl; 
ELSE (* StackAddrSize = 32 *) 
IF Sper encnlZe = : 
THEN | 
7 ESP. < ESP — 2 | . 
SS:[ESP] < value; (* 2 bytes aicned anid at 
byte address in ESP*) | 
“ELSE (* OperandSize = = 32*) 
ESP — ESP — 4; | | 
SS:[ESP] < value; (* 4 bytes assigned starting at 
byte address in ESP*) 
a Rl we OR : 
Fl; 


e Pop(value) removes the value from the top of the stack and returns it. The statement 
EAX < Pop( ); assigns to EAX the 32-bit value that Pop took from the top of the 
stack. Pop will return either a word or a doubleword depending on the operand-s size 
attribute. The action of Pop is as follows: 


IF StackAddrSize = 16. 
THEN 
IF OperandSize = = 1 6 
THEN ee 
ret val — SS:[SP}]; (* 2- -byte value 3 _ 
SP <— SP + 2; | 
ELSE (* OperandSize = 32 *) . - 
‘ret val <— SS: ISP], (* 4- pyle value | ae 
~SP< or - 4; | 
oe FI 
ELSE C StackAddrSize - = 30 *) 
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IF OperandSize = 16 
THEN | 
ret val — SS:[ESP]; (* 2 byte value *) 
ESP < ESP + 2: | 
ELSE (* OperandSize = 32 *) 
ret val — SS:[ESP]; (* 4 byte value *) 
ESP < ESP + 4; © | 
Fl; 
Fl; 
RETURN (ret val); (*returns a word or doubleword*) 


Pop ST is used on floating-point instruction pages to mean pop the FPU register stack. 


e Bit[BitBase, BitOffset] returns the address of a bit within a bit string, which is a 
sequence of bits in memory or a register. Bits are numbered from low-order to high- 
order within registers and within memory bytes. In memory, the two bytes of a word 
are stored with the low-order byte at the lower address. 


If the base operand is a register, the offset can be in the range 0..31. This offset 
addresses a bit within the indicated register. An example, ‘BIT[EAX, 21]’ is illus- 
trated in Figure 26-3. | | 


If BitBase is a memory address, BitOffset can range from —2 gigabits to 2 gigabits. 
The addressed bit is numbered (Offset MOD 8) within the byte at address (BitBase 
+ (BitOffset DIV 8)), where DIV is signed division with rounding towards negative 
infinity, and MOD returns a positive number. This is illustrated in Figure 26-4. 


° I-O-Permission (I-O-Address, width) returns TRUE or FALSE depending on the 1/O | 
permission bitmap and other factors. This function is defined as follows: 


IF TSS type is 80286 THEN RETURN FALSE; FI; 
Ptr <— [TSS + 66]; (* fetch bitmap pointer *) 
BitStringAddr < SHR (l-O-Address, 3) + Ptr; 
MaskShift — I-O-Address AND 7; 
CASE width OF: 

BYTE: nBitMask < 1; 

WORD: nBitMask < 3; 

DWORD: nBitMask <— 15; 


31 21 0 


iene = 21 eee , 


Figure 26-3. Bit Offset for BIT[EAX, 21] 


240486i26-15 
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BIT INDEXING (POSITIVE OFFSET) _ 


765432107654321076543210 


| BITBASE + 1 | BITBASE | BITBASE — 1 | 
toreser = -13 


_ BIT INDEXING (NEGATIVE OFFSET) 


765432107654321076543210 


| BITBASE BE BITBASE—1 | BITBASE — 2 
OFFSET = -11- a 


| Re aoasii06-4 
Figure 26-4. Memory Bit Indexing — : 
~~ ESAC: 
~~ mask — SHL (nBitMask, MaskShift): 
CheckString < [BitStringAddr] AND mask; 
_ IF CheckString = 0 
THEN RETURN (TRUE); | 


ELSE RETURN (FALSE); 
Fl: 


e Switch-Tasks is the task switching function described in Chapter re 


26.2.2.6 DESCRIPTION 


The “Description” section contains further explanation of the instruction’s operation. 


26.2.2.7 FLAGS AFFECTED 


The “Flags Affected’ section lists the flags that are affected by the instruction, as 
follows: | 


e Ifa flag is always cleared or always set by the instruction, the value is given (0 or 1) 
after the flag name. Arithmetic and logical instructions usually assign values to the 
status flags in the uniform manner described in Appendix C. Nonconventional assign- 
ments are described in the “Operation” section. — 


e The values of flags listed as “undefined” may be changed by the instruction in an 
indeterminate manner. 


All flags not listed are unchanged by the instruction. 
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The floating-point instruction pages have a section called “FPU Flags Affected,” which 
tells how each instruction can affect the four condition code bits of the FPU status word. 
These pages also have a section called ““Numeric Exceptions,” which lists the exception 
flags of the FPU status word that each instruction can set. 


26.2.2.8 PROTECTED MODE EXCEPTIONS 


This section lists the exceptions that can occur when the instruction is executed in 
protected mode. The exception names are a pound sign (#) followed by two letters and 
an optional error code in parentheses. For example, #GP(0) denotes a general protec- 
tion exception with an error code of 0. Table 26-6 associates each two-letter name with 
the corresponding interrupt number. | 


Chapter 9 describes the exceptions and the Intel486 processor state upon entry to the 
exception. 


Application programmers should consult the documentation provided with their operat- 
ing systems to determine the actions taken when exceptions occur. 


26.2.2.9 REAL ADDRESS MODE EXCEPTIONS 


Because less error checking is performed by the Intel486 processor in Real Address 
Mode, this mode has fewer exception conditions. Refer to Chapter 22 for further infor- 
mation on these exceptions. 


_ 26.2.2.10 VIRTUAL-8086 MODE EXCEPTIONS | 


_ Virtual 8086 tasks provide the ability to simulate Virtual 8086 machines. Virtual 8086 
Mode exceptions are similar to those for the 8086 processor, but there are some differ- 
ences. Refer to Chapter 23 for details. 


Table 26-6. Exceptions 
a 
6 Invalid opcode 

Device not available 
Doubel fault 
Invalid TSS 
Segment or gate not present 
Stack fault 


General protection fault 


Page fault 
Floating-point error 
Alignment check 


26-17. 


intel. | | _ INSTRUCTION SET 


AAA — ASCII Adjust after Addition 


Operation 


IF ((AL AND OFH) > 9) OR (AF = 1) 
THEN — _ 
AL <— (AL + 6) AND OFH; 
AH <— AH + 1; 
AF <— 1; 
CF <1; 
ELSE 
CF < 0; 
AF < 0; 
Fl: ee 


Description 

Execute the AAA instruction only following an ADD instruction of two unpacked BCD 
bytes that leaves a byte result in the AL register. In this case, the AAA instruction 
adjusts the AL register to contain the correct decimal digit result. If the addition pro- 
duced a decimal carry, the AH register is incremented, and the CF and AF flags are set. 
If there was no decimal carry, the CF and AF flags are cleared and the AH register is 


unchanged. In either case, the AL register is left with its top nibble set to 0. To convert ° 
the AL register to an ASCII result, follow the AAA instruction with OR AL, 30H. 


Flags Affected | 


The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal 
anys the aes aa and PF wags are undefined. | 


Protected Mode Exceptions | 
None: 

Real Address Mode Exceptions 
None. | 
Virtual 8086 Mode Excoptioné 


None. 
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AAD — ASCII Adjust AX before Division | 


Operation 


AL <— AH * 10 + AL; 
AH <0; — 


Description 

The AAD instruction is used to prepare two unpacked BCD digits (the least-significant 
digit in the AL register, the most-significant digit in the AH register) for a division 
operation that will yield an unpacked result. This is accomplished by setting the AL 


register to AL + (10 * AH), and then clearing the AH register. The AX Reeser Is is then 
equal to the binary equivalent of the original unpacked two-digit number. | 


Flags Affected 


The SF, ZF, and PF flags are set according to the result; the OF, AF, and CF ee are 
undefined. 


Protected Mode Exceptions 
None. 
Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


None. 
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AAM — ASCII Adjust AX after Multiply — 


Operation 


AH < AL / 10: 
AL <— AL MOD 10; 


Description 

Execute the AAM instruction only after executing a MUL instruction between two 
unpacked BCD digits that leaves the result in.the AX register. Because the result is less 
than 100, it is contained entirely in the AL register: The AAM instruction unpacks the 


AL result by dividing AL by 10, leaving the quotient (most-significant digit) m in the AH 
register and the remainder (least-significant digit) in the AL register. | | 


Flags Affected | 


The SF, ZF, and PF flags are set according to: the result; the OF, AF, and CF flags a are 
undefined. 


Protected Mode Exceptions 


None. 

Real Address Mode Exceotions 
None. 

Virtual 8086 Mode Exceptions 


None. 
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AAS — ASCII Adjust AL after Subtraction 


| Opcode Instruction Clocks Description 
3F AAS 3 ASCII adjust AL after subtraction 
Operation 
IF (AL AND OFH) > 9 OR AF = 1 
THEN | 
AL <— AL — 6; 
AL <— AL AND OFH; 
AH < AH — 1; 
AF <— 1; 
CF < 1; 
ELSE 
CF <— 0; 
AF < 0; 
Fl; 
Description 


Execute the AAS instruction only after a SUB instruction of two unpacked BCD bytes 
that leaves the byte result in the AL register. In this case, the AAS instruction adjusts 
the AL register so it contains the correct decimal digit result. If the subtraction pro- 
duced a decimal carry, the AH register is decremented, and the CF and AF flags are set. 
If no decimal carry occurred, the CF and AF flags are cleared, and the AH register is 
unchanged. In either case, the AL register is left with its top nibble set to 0. To convert 
the AL result to an ASCII result, follow the AAS instruction with OR AL, 30H. 


Flags Affected 


The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal 
carry; the OF, SF, ZF, and PF flags are undefined. 


Protected Mode Exceptions 
None. 
Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


None. 
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ADC—Add with Carry 2 


Opcode Instruction Clocks:. : © Description 


14 ib ADC. AL,imm8 32: 2) Aseiin OO Add with carry immediate byte to AL 

AB IW sw. ADO AK UG os os Ais gn WR OH -Add with carry immediate word.to AX 

15 id ADC EAX,imm32 Add with carry immediate dword to EAX 

80 /2 ib ADC r/m8,imm8s Add with carry immediate byte to r/mbyte — 

81 /2 iw ADC r/m16,imm16 Add with carry immediate word to r/m word | 

81 /2 id ADC r/m32,imm32 Add with CF immediate dword to r/m dword 

83 /2 ib ADC r/m16,imm8 Add with CF sign-extended immediate byte to.r/m word . 

83 /2 ib ADC r/m32,imm8s fe a CF sign- -extended immediate byte into rm. 
wor 

10 /r ADC r/m8,r8 Add with carry byte register to r/m byte 

11 /r ADC r/m16,r16 Add with carry word register to /m word _ 

11 /r ADC 1r/m32,r32 Add with CF dword register to r/m dword © 

12 /r ADC r8,r/m8 Add with carry r/m byte to byte register: 

13 /r ADC r16,r/m16 Add with carry r/m word to word register 

13 /r ADC 132,r/m32 Add with CF r/m dword to dword register 


Operation 


DEST <- DEST + SRC + CF; 


rhea hm Desies ee 
The ADCi instruction aoe an ee addition of the two. operands DEST and SRC 
and the carry. flag, CF. The result of the addition As. assigned to the first operand 
(DEST), and. the.flags are. set. accordingly. The ADC instruction is usually executed as 
part. of.a multi- -byte or. multi-word addition operation. When an immediate byte value is 
added to.a word or doubleword operand,. the immediate value is first sign- -extended to 
the size of the word or doubleword operand. | 


Rlags pocees, 


The OF, SF, ZF, AF, CF, and PF age’ are set eee to the resiilt. 


Protected Mode Exceptions 


#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault- -code) for a page fault; #AC for unaligned memory REKeteuce 
7 the current privilege level is 3. — 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 
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Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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ADD —Add 


Instruction . ~ Clocks | . ~ Description 


ADD AL,immés a ae . -" Add immediate byte to AL 

ADD AX,imm16 Add immediate word to AX 

ADD EAX,imm32 Add immediate dword to EAX 

ADD r/m8,imm8 Add immediate byte to r/m byte 

ADD r/m16,imm16 Add immediate word to r/m word 

ADD r/m32,imm32 Add immediate dword to r/m dword 

ADD r/m16,imm8 | Add sign-extended immediate byte to r/m word 
ADD r/m32,immés . Add sign-extended immediate byte to r/m dword 
ADD r/m8,r8 _ Add byte register to r/m byte 

ADD r/m16,r16 Add word register to r/m word 

ADD r/m32,r32 Add dword register to r/m dword 

ADD r8,r/m8 Add r/m byte to byte register 

ADD r16,r/m16 Add r/m word to word register 

ADD r32,r/m32 | Add r/m dword to dword register 


Operation 


DEST <— DEST + SRC; 


Description 


The ADD instruction performs an integer addition of the two operands (DEST and 
SRC). The result of the addition is assigned to the first operand (DEST), and the flags 
are set accordingly. 


When an immediate byte is added to a word or doubleword operand, the immediate 
value is sign-extended to the size of the word or doubleword operand. 


Flags Affected 


The OF, SF, ZF, AF, CF, and PF flags are set according to the result. 


Protected Mode Exceptions 


#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault- -code) for a page fault; #AC for unaligned memory reference 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 
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Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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AND — Logical AND 


Instruction - . Clocks Description | 
AND AL,imm8 . -. "AND immediate byte to AL _ 
AND AxX,imm16 AND immediate word to AX 
AND EAX,imm32 AND immediate dword to EAX 
AND r/m8,imm8s AND immediate byte to r/m byte 
AND r/m16,imm16 AND immediate word to r/m word 
AND 1/m32,imm32 . AND immediate dword to r/m dword 
AND r/m16,imm8 AND sign- -extended immediate byte with r/m word 
AND r/m32,imm8 AND sign-extended immediate byte with r/m dword 
AND r/m8,r8 — AND byte register to r/m byte 
AND 1r/m16,r16 AND word register to r/m word 
AND r/m32,r32 AND dword register to r/m dword 
AND r8,r/m8 . AND r/m byte to byte register 
AND r16,r/m16 AND r/m word to word register 
AND 132,1r/m32 AND r/m dword to dword register 
Operation 
DEST < DEST AND SRC; 
CF < 0; 
OF < 0; 
Description 


Each bit of the result of the AND instruction is a 1 if both corresponding bits of the 
operands are 1; otherwise, it becomes a 0. 


Flags Affected 


The CF and OF flags are cleared; the PF, SF, and ZF flags are set according to the 
result; the AF flag is undefined. 


Protected Mode Exceptions 
#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 


the SS segment; #PF(fault-code) for a page fault; #AC for. unaligned memory reference . 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand yous lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
_ unaligned memory reference if the current privilege level is 3. 
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ARPL — Adjust RPL Field of Selector 


Operation 


IF RPL bits(0,1) of DEST < RPL bits(0,1) of SRC 
THEN 7 

ZF <— 1; 

RPL bits(0,1) of DEST < RPL bits(0,1) of SRC; 
ELSE 

ZF <— 0; 
Fl; 


| Description 


The ARPL instruction has two operands. The first operand is a 16-bit memory variable 
or word register that contains the value of a selector. The second operand is a word 
register. If the RPL field (“requested privilege level” —bottom two bits) of the first 
operand is less than the RPL field of the second operand, the ZF flag is set and the RPL 
field of the first operand is increased to match the second operand. Otherwise, the ZF 
flag is cleared and no change is made to the first operand. 


The ARPL instruction appears in operating system software, not in application pro- 
grams. It is used to guarantee that a selector parameter to a subroutine does not request 
more privilege than the caller is allowed. The second operand of the ARPL instruction is 
normally a register that contains the CS selector value of the caller. 


Flags Affected 


The ZF flag is set if the RPL field of the first operand is less than that of the second 
operand. 


Protected Mode Exceptions 


#GP(0) if the result is a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault- -code) for a page fault; #AC for unaligned memory reference 
if the current privilege level is 3. 


Real Address Mode Exceptions 
Interrupt 6; the ARPL instruction is not recognized in Real Address Mode. 
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Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF (fault-code) for a page fault; #AC for | 
unaligned meno reference if the current EPOMISES level is 3. : 
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BOUND — Check Array Index Against Bounds 


Opcode Instruction Clocks Description - 


62 /r BOUND r16,m16&16 7 ~~ 7 Check if r76 is within bounds (passes test) 
62 /r BOUND r32,m32&32 7 Check if r32 is within bounds (passes test) 


Operation 


IF (LeftSRC < [RightSRC] OR LeftSRC > [RightSRC + OperandSize/8]) 
(* Under lower bound or over upper bound *) 

THEN Interrupt 5; 

Fl; 


Description 


The BOUND instruction ensures that a signed array index is within the limits specified 
by a block of memory consisting of an upper and a lower bound. Each bound uses one 
word when the operand-size attribute is 16 bits and a doubleword when the operand-size 
attribute is 32 bits. The first operand (a register) must be greater than or equal to the 
first bound in memory (lower bound), and less than or equal to the second bound in 
memory (upper bound) plus the number of bytes occupied for the operand size. If the 
register is not within bounds, an Interrupt 5 occurs; the return EIP points to the 
BOUND instruction. 


The bounds limit data structure is usually placed just before the array itself, making the 
limits addressable via a constant offset from the beginning of the array. | 


Flags Affected 


None. 


Protected Mode Exceptions 


Interrupt 5 if the bounds test fails, as described above; #GP(0) for an illegal memory 
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 
address in the SS segment; #PF(fault- code) for a page fault; #AC for unaligned mem- 
ory reference if the current privilege level is 3. 


The second operand must be a memory operand, not a register. If the BOUND instruc- 


tion is executed with a ModR/M byte representing a register as the second operand, 
#UD occurs. 


Real Address Mode Exceptions 
Interrupt 5 if the bounds test fails; Interrupt 13 if any part of the operand would lie 


outside of the effective address space from 0 to OFFFFH; Interrupt 6 if the second 
operand is a register. 
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Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault- code) for a page fault; #AC for | 
ynahened memory relerence if the current privilege levelis 3. a 
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BSF — Bit Scan Forward 


Opcode . Instruction Clocks _ Description 


OF BC BSF r16,r/m16 6-42/7-43 Bit scan forward on r/m word 
OF BC BSF r32,r/m32 6-42/7-43 Bit scan forward on r/m dword 


Operation 


IF rm = 0 
THEN 
ZF <— 1; 
register < UNDEFINED; 
ELSE 
temp < 0; 
ZF < 0; 
WHILE BIT[r/m, temp] = 0 
DO 
temp < temp + 1; 
register <— temp; 
OD; 
Fl; 


Description 


The BSF instruction scans the bits in the second word or doubleword operand starting 
with bit 0. The ZF flag is set if all the bits are 0; otherwise, the ZF flag is cleared and the 
destination register is loaded with the bit index of the first set bit. 


Flags Affected 


The ZF flag is set if all bits are 0; otherwise, the ZF flag is cleared. OF, SF, AF, PF, 
CF = undefined. 


Protected Mode Exceptions 


#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault; #AC for unaligned memory reference if the current privilege level is 3.. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. ) 
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Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault- -code) for a page fault; #AC for 
unaligned memo reference if the current privilege pial is 3. ‘ a 


26-32 


Intel. INSTRUCTION SET 


BSR —Bit Scan Reverse 


‘Opcode . Instruction Clocks "Description: 


OF BD BSR r16,r/m16 6-103/7-104 Bit scan reverse‘on r/m word 
OF BD BSR r32,r/m32 6-103/7-104 Bit scan reverse on r/m dword 


Operation 


IF rm = 0 
THEN 
Le = 1; 
register <- UNDEFINED; 
ELSE 
temp < OperandSize — 1; 
ZF <0; | 
WHILE BIT[r/m, temp] = 0 
DO 
temp <- temp — 1; 
register < temp; 
OD; 
Fl; 


Description 


The BSR instruction scans the bits in the second word or doubleword operand from the 
most significant bit to the least significant bit. The ZF flag is set if all the bits are 0; 
otherwise, the ZF flag is cleared and the destination register is loaded with the bit index 
of the first set bit found when scanning in the reverse direction. 


Flags Affected 


The ZF flag is set if all bits are 0; otherwise, the ZF nee is cleared. OS, SF, AF, PF, . 
CF = undefined. 


Protected Mode Exceptions 


#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference 
_if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 
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Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. | 
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BSWAP — Byte Swap 


Opcode instruction Description 


OF C8/r BSWAP r32, os Swap bytes to convert little/big endian data ina 
: 32-bit register to big/little endian form. 


Operation 

TEMP < r32 

r32(7..0) <— TEMP(31..24) 
r32(15..8) — TEMP(23..16) 


( 
r32(23..16) <— TEMP(15..8) 
r32(31..24) <— TEMP(7..0) 


Description 
The BSWAP instruction reverses the byte order of a 32-bit register, converting a value in 


little/big endian form to big/little endian form. When BSWAP is used with 16-bit oper- 
and size, the result left in the destination register is undefined. 


Flags Affected 

None. 

Protected Mode Exceptions 
None. | | 


Real Address Mode Exceptions | 


None. | 

Virtual 8086 Mode Exceptions 
None. 

Notes 


BSWATP is not supported on Intel386 processors. See Section 3.11 to use BSWAP com- 
patible with Intel386 processors. | 
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BT — Bit Test 


Opcode Instruction _ : Clocks Description 
OF A3 BT r/m16,r16 — 3/8 Save bit in carry flag 


OF A3 ~ BT. Wm32,r382, 8/8 Save bit in carry flag 
OF BA /4 ib BT r/m16,imm8 | 3/3 3 -. Save bit in carry flag 
OF BA /4 ib BT r/m32,imm8 3/3 Save bit in carry flag 


Operation 


CF < BIT[LeftSRC, RightSRC]; 


Description 


The BT instruction saves the value of the bit indicated by the base (first operand) and 
the bit offset oe operand) into the CF ia 


Flags Affected 


The CF flag contains the value of the selected bit. 


Protected Mode Exceptions 


#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault- code) for a page 
fault; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault- -code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Notes © 


The index of the selected bit can be given by the immediate constant in the instruction 
or by a value in a general register. Only an 8-bit immediate value is used in the instruc- 
tion. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This 
allows any bit within a register to be selected. For memory bit strings, this immediate 
field gives only the bit offset within a word or doubleword. Immediate bit offsets larger 
than 31 are supported by using the immediate bit offset field in combination with the 
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_ displacement field of the memory operand. The low-order 3 to 5 bits of the immediate 
bit offset are stored in the immediate bit offset field, and the high-order bits are shifted 
and combined with the byte displacement in the addressing mode by the assembler. The 
processor will ignore the high order bits if they are not zero. 


When accessing a bit in memory, the processor may access four bytes starting from the 
memory address given by: 


Effective Address + (4 * (BitOffset DIV 32)) 
for a 32-bit operand size, or two bytes starting from the memory address given by: 
Effective Address + (2 * (BitOffset DIV 16)) 
for a 16-bit operand size. It may do so even when only a single byte needs to be accessed 
in order to reach the given bit. You must therefore avoid referencing areas of memory 
close to address space holes. In particular, avoid references to memory-mapped I/O 


registers. Instead, use the MOV instructions to load from or store to these addresses, 
and use the register form of these instructions to manipulate the data. 
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BIC — Bit Test and Complement _ 


Opcode a inairuction te Clocks. oe - <: Description - | a 
OF BB BTC r/m16,r16 ISA wo. — Save bit in carry flag and complement 


OF BB BTC r/m32,r32 6/13 Save bit in carry flag and complement 
OF BA/7 ib = BTC r/m16,imm8& 6/8 ase .s Save bit in carry flag and complement, _ 
OF BA/7 ib) ~=BTC r/m32,imm8& 6/8 “s Save bit in carry flag and complement — 


Operation 


CF < BIT[LeftSRC, RightSRC]; ; 
Pern RightSRC] < NOT BITILeRSAC, FightSAC}; 


Description 


The BTC instruction saves the value of the bit indicated byt the base (first operand) and 
the bit offset (second operand): into the CF flag and then complements the bit. = 


Flags Affected 


The CF flag contains the complement of the selected bit. 


Protected Mode Exceptions 


#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand © 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault- code) for a page fault; #AC for uneneaee memory reference 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Notes 


The index of the selected bit can be given by the immediate constant in the instruction 
or by a value in a general register. Only an 8-bit immediate value is used in the instruc- 
tion. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This 
allows any bit within a register to be selected. For memory bit strings, this immediate 
field gives only the bit offset within a word or doubleword. Immediate bit offsets larger 
than 31 are supported by using the immediate bit offset field in combination with the 
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displacement field of the memory operand. The low-order 3 to 5 bits of the immediate 
bit offset are stored in the immediate bit offset field, and the high-order bits are shifted 
and combined with the byte displacement in the addressing mode by the assembler. The 
processor will ignore the high order bits if they are not zero. | 


When accessing a bit in memory, the processor may access four bytes starting from the 
memory address given by: | | 


Effective Address + (4 * (BitOffset DIV 32)) 
for a 32-bit operand size, or two bytes starting from the memory address given by: 
Effective Address + (2 * (BitOffset DIV 16)) 
for a 16-bit operand size. It may do so even when only a single byte needs to be accessed 
in order to reach the given bit. You must therefore avoid referencing areas of memory 
close to address space holes. In particular, avoid references to memory-mapped I/O 


registers. Instead, use the MOV instructions to load from or store to these addresses, 
and use the register form of these instructions to manipulate the data. 
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BTR — Bit Test and Reset 


Opcode Instruction | _ Clocks OR, - Description — 


OF B3 ‘BTR r/m16,r16 6/13 : ~ Save bit in carry flag and reset 
OF B3 BTR r/m32,r32 6/13 Save bit in carry flag and reset 
OF BA /6 ib BTR r/m16,imm8 . ' 6/8. Save bit in carry flag and reset 
OF BA /6 ib BTR r/m32,imm8 6/8 := — Save bit in carry flag and reset 


Operation 


CF < BIT[LeftSRC, RightSRC]; 
BIT[LeftSRC, RightSRC] < 0: 


Description 


The BTR instruction saves the value of the bit indicated by the base (first operand) and 
the bit offset (second operand) into the CF flag . and then stores 0 in oe bit. | 


Flags Affected 


The CF flag contains the value of the selected bit. 


Protected Mode Exceptions 


#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Notes | 


The index of the selected bit can be given by the immediate constant in the instruction 
or by a value in a general register. Only an 8-bit immediate value is used in the instruc- 
tion. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This 
allows any bit within a register to be selected. For memory bit strings, this immediate 
field gives only the bit offset within a word or doubleword. Immediate bit offsets larger 
than 31 (or 15) are supported by using the immediate bit offset field in combination with 
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the displacement field of the memory operand. The low-order 3 to 5 bits of the imme- 
diate bit offset are stored in the immediate bit offset field, and the high-order bits are 
_ shifted and combined with the byte displacement in the addressing mode by the assem- 
bler. The processor will ignore the high order bits if they are not zero. 


When accessing a bit in memory, the processor may access four bytes starting from the 
memory address given by: | 


Effective Address + 4 * (BitOffset DIV 32) 
for a 32-bit operand size, or two bytes starting from the memory address given by: 
Effective Address + 2 * (BitOffset DIV 16) 
for a 16-bit operand size. It may do so even when only a single byte needs to be accessed 
in order to reach the given bit. You must therefore avoid referencing areas of memory 
close to address space holes. In particular, avoid references to memory-mapped I/O 


registers. Instead, use the MOV instructions to load from or store to these addresses, 
and use the register form of these instructions to manipulate the data. — 
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: BTS - Bit Test and Set 


Clocks eo 7 Description 


| OF AB . BTS r/m16,716 6/13 | Save bit in carry flag and set 
OF AB BTS 1/m32,r32 6/13 Save bit in carry flag and set 


Opcode > Instruction 


OF BA /5 ib BTS r/m16,imm8 6/8 a Save bit in carry flag and set 
OF BA/5 ib BTS r/m32,imm8 6/8 Save bit in carry flag and set 


Operation 


CF < BIT[LeftSRC, RightSRC]; 
BIT[LeftSRC, RightSRC] < 1; 


Description 


The BTS instruction saves the value of the bit indicated by the base (first operand) and 
the bit offset (second operand) into the CF flag and then stores 1 in the bit. | 


Flags Affected 


The CF flag contains the value of the selected bit. 


Protected Mode Exceptions 


#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Notes 


The index of the selected bit can be given by the immediate constant in the instruction 
or by a value in a general register. Only an 8-bit immediate value is used in the instruc- 
tion. This operand is taken modulo 32, so the range of immediate bit offsets is 0..31. This 
allows any bit within a register to be selected. For memory bit strings, this immediate 
field gives only the bit offset within a word or doubleword. Immediate bit offsets larger 
than 31 are supported by using the immediate bit offset field in combination with the 
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displacement field of the memory operand. The low-order 3 to 5 bits of the immediate 
bit offset are stored in the immediate bit offset field, and the high order bits are shifted 
and combined with the byte displacement in the addressing mode by the assembler. The 
pigcessor will ee the. high order. bits if they are not zero. | | 


When accessing a Bit in memory, the processor may access four bytes starting from the 
memory address given by: 


Effective Address + a (BitOffset DIV 32)) 
for a 32-bit operand size, or two eyes starting from the memory address given my 
Effective Address + (2 * (BitOffset DIV 16)) 


for a 16-bit operand size. It may do this even when only a single byte needs to be 
accessed in order to get at the given bit. You must therefore be careful to avoid refer- 
encing areas of memory close to address space holes. In particular, avoid references to 
memory-mapped I/O registers: Instead, use the MOV instructions to load from or store 
to these addresses, and use the register form of these instructions to Se the 
data. : 
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CALL — Call Procedure 


Clocks | 


Instruction | 


CALL re/76 
CALL r/m16 
CALL ptr16:16 


CALL ptr16:16 


CALL ptr16:16 
CALL ptr16:16 
CALL ptr16:16 
CALL m16:16 
CALL m16:16 
_ CALL m16:16 
CALL m16:16 
CALL m16:16 
CALL re/32 
CALL r/m32 


CALL ptr16:32 | 


CALL ptr16:32 


_ CALL ptr16:32 


CALL ptr16:32 
~ CALL pitr16:32 
~ CALL m16:32 
CALL m16:32 
CALL m16:32 
CALL m16:32 
CALL 16:32 


3 

5/5 
18,om=20 
pm=35 
pm=69 
pm=77 + 4x 
pm=37 +ts 
17,pm=20 | 
pm=35 
pm=69 
pm=77 + 4x 
pm=37 +ts 
3 


5/5 
18,pm=20 
pm=35 . 
pm=69 


— pm=77+4x 
—pm=37+ts’ | 


17,pm=20 


_ pm=35 


pm=69° 
pm=77 + 4x 


INSTRUCTION SET 


Description 


Call near, displacement relative to next instruction 
Call near, register indirect/memory indirect 

Call intersegment, to full pointer given 

Call gate, same privilege © 

Call gate, more privilege, no parameters 

Cail gate, more privilege, x parameters 

Call to task | | 

Call intersegment, address at r/m dword 

Call gate, same privilege 


Cail gate, more privilege, no parameters 


Call gate, more privilege, x parameters 

Call to task 

Call near, displacement relative to next instruction 
Call near, indirect 

Call intersegment, to full pointer given 


Call gate, same privilege A aw 
- Call gate, more privilege, no parameters 


Call gate, more privilege, x parameters 
Call to task — _ | 

Call intersegment, address at r/m dword:. . — 
Call gate, same privilege 

Call gate, more privilege, no parameters 

Call gate, more privilege, x parameters 


Call to task 


pm=37+ts 


NOTE: Values of ts are given by the following table: 


Old Task : 
| to Intel486™ CPU TSS to 80286 TSS to VM TSS 


Operation 


IF rel16 or re[32 type of call 
THEN (* near relative call *) 
IF OperandSize = 16 
THEN 
Push(IP); 
EIP < (EIP + re/16) AND OOOOFFFFH; 
ELSE (* OperandSize = 32 *) a 
Push(EIP); 
EIP — EIP + rel32; 
Fl; 
Fl; 


IF r/m16 or r/m32 type of call 
THEN (* near absolute call *) 
IF OperandSize = 16 
THEN 
Pushi(IP); 
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EIP < [r/m16] AND OOOOFFFFH; 
ELSE (* OperandSize = 32 *) 
Push(EIP); 
EIP — [r/m32]; 
Fl; 
Fl; 


IF (PE = 0 OR (PE = 1 AND VM = 1)) 
(* real mode or virtual 8086 mode *) 
AND instruction = far CALL 
(* i.e., operand type is m16:16, m16:32, ptr16:16, ptr16:32 *) 
THEN 
IF OperandSize = 16 
_ THEN 
Push(CS); 
Push(IP); (* address of next instruction; 16 bits *) 
ELSE 
Push(CS); (* padded with 16 high-order bits *) 
Push(EIP); (* address of next instruction; 32 bits *) 
Fl; ne : 
IF operand type is m16:716 or m16:32 
THEN (* indirect far call *) 
IF OperandSize = 16 
THEN 
CS:IP — [m16:16]; 
EIP — EIP AND OOOOFFFFH; ( clear baal 16 bits =. 
ELSE (* OperandSize = 32.*) 
CS:EIP — [m16:32]; 
Fl; 
Fl; 
IF operand type is pir16:16 or ptr16:32 
THEN (* direct far call *) 7 
IF OperandSize = 16 
THEN 
CS:IP <— ptr16:16; : 
EIP <— EIP AND QOOOFFFFH: ¢ clear uppers 16 bits * 
ELSE (* OperandSize = 32 *) 
CS:EIP <— ptr16:32, 
Fl; 
Fl; 
Fl; 


IF (PE = 1 AND VM = 0) (* Protected mode, not ee mode *) 
AND instruction = far CALL 
THEN 
lf indirect, then check access of EA doubleword; 
#GP(0) if limit violation; 
New CS selector must not be null else #GP(0); 
Check that new CS selector index is within its 
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descriptor table limits; else #GP(new CS selector); | 
Examine AR byte of selected descriptor for various legal values; — 
depending on value: 
go to CONFORMING-CODE-SEGMENT; | 
go to NONCONFORMING-CODE-SEGMENT; 
go to CALL-GATE; 
go to TASK-GATE; 
go to TASK-STATE-SEGMENT; 
ELSE #GP(code segment selector); 
Fl; 


CONFORMING-CODE-SEGMENT: 
DPL must be < CPL ELSE #GP(code segment selector); 
Segment must be present ELSE #NP(code segment selector); 
Stack must be big enough for return address ELSE #SS(0); 


Instruction pointer must be in code segment limit ELSE #GP(0); > 


Load code segment descriptor into CS register; 

Load CS with new code segment selector; . - 

Load EIP with zero-extend(new offset); . 

IF OperandSize = 16 THEN EIP < EIP AND QOO0FFFFH; FI: 


NONCONFORMING-CODE-SEGMENT: 
RPL must be < CPL ELSE #GP(code segment selector) 
DPL must be = CPL ELSE #GP(code segment selector) 
Segment must be present ELSE #NP(code segment selector) 
Stack must be big enough for return. address ELSE #SS(0) 
Instruction pointer must be in code segment limit ELSE #GP(0)- 
Load code segment descriptor into CS register 
Load CS with new code segment selector 
Set RPL of CS to CPL 
Load EIP with zero-extend(new offset); 
IF OperandSize= 16 THEN EIP <- EIP AND OO00FFFFH: Fl: 


CALL-GATE: 
Call gate DPL must be = CPL ELSE #GP(call gate selector) 


Call gate DPL must be => RPL ELSE #GP(call gate selector) 7 ae 


Call gate must be present ELSE #NP(call gate selector) 
Examine code segment selector in call gate descriptor: 
Selector must not be null ELSE #GP(0) 
Selector must be within its descriptor table 
limits ELSE #GP(code segment selector) 
AR byte of selected descriptor must indicate code 
segment ELSE #GP(code segment selector) =~ 
DPL of selected descriptor must be < CPL ELSE 
#GP(code segment selector) 
IF non-conforming code segment AND DPL < CPL: 
THEN go to MORE-PRIVILEGE 
ELSE go to SAME-PRIVILEGE 
Fl; 
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MORE-PRIVILEGE: 
Get new SS selector for new privilege level from TSS 
Check selector and descriptor for new SS: 
Selector must not be null ELSE #TS(0) 
Selector index must be within its descriptor 
table limits ELSE #TS(SS selector) _ 
Selector’s RPL must equal DPL of code segment 
ELSE #TS(SS selector) 
Stack segment DPL must equal DPL of code 
segment ELSE #TS(SS selector) 
Descriptor must indicate writable data segment 
ELSE #TS(SS selector) 
segment present ELSE #SS(SS selector) 
IF OperandSize = 32 
THEN | 
New stack must have room for parameters plus 16 bytes 
ELSE #SS(SS selector) 
EIP must be in code segment limit ELSE #GP(0) 
Load new SS:eSP value from TSS 
Load new CS:EIP value from gate 
ELSE | 
New stack must have room for parameters plus 8 bytes 


ELSE #SS(SS selector) 
IP must be in code segment limit ELSE #GP(0) 
Load new SS:eSP value from TSS 
Load new CS:IP value from gate 
Fi; 
Load CS descriptor 
Load SS descriptor 
Push long pointer of old stack onto new stack 
Get word count from call gate, mask to 5 bits 
Copy parameters from old stack onto new stack 
Push return address onto new stack 
Set CPL to stack segment DPL 
Set RPL of CS to CPL 


SAME-PRIVILEGE: 
IF OperandSize = 32 
THEN 
Stack must have room for 6-byte return address (padded to 8 bytes) 
ELSE #S3S(0) 3 
EIP must be within code segment limit ELSE #GP(0) 
‘Load CS:EIP from gate 
ELSE | : . 
Stack must have room for 4-byte return address ELSE #SS(0) - 
IP must be within code segment limit ELSE #GP(0) 
Load CS:IP from gate 
Fl; 
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Push return address onto stack 
Load code segment descriptor into CS register. 
ane RPL of CS to CPL 


TASK-GATE: 

Task gate DPL must be = CPL ELSE #TS(gate selector) 

Task gate DPL must be = RPL ELSE #TS(gate selector) 

Task Gate must be present ELSE #NP(gate selector) 

Examine selector to TSS, given in Task Gate descriptor: — . 
Must specify global in the local/global bit ELSE #TS(TSS selector) | 
Index must be within GDT limits ELSE #TS(TSS selector) 

TSS descriptor AR byte must specify nonbusy TSS | 
ELSE #TS(TSS selector) 
Task State Segment must be present ELSE #NP(TSS selector) 

SWITCH-TASKS (with nesting) to TSS 

IP must be in code segment limit ELSE #TS(0) 


TASK-STATE-SEGMENT: 
TSS DPL must be = CPL ELSE #TS(TSS selector) 
TSS DPL must be = RPL ELSE #TS(TSS selector) 
TSS descriptor AR byte must specify available TSS 
ELSE #TS(TSS selector) | 
Task State Segment must be present ELSE vere selector) 
SWITCH-TASKS (with nesting) to TSS 
IP must be in code segment limit ELSE #TS(0) _ 


Description 


The CALL instruction causes the procedure named in the operand:to be executed. 
When the procedure is complete (a return instruction is executed within the procedure), 
execution continues at the instruction that follows the CALL instruction. 


The action of the different forms of the instruction are described below. 7 


Near calls are those with destinations of type r/m16, r/m32, rel16, rel32, changing or saving 
the segment register value is not necessary. The CALL re/i6 and CALL re/l32 forms add 
a signed offset to the address of the instruction following the CALL instruction to deter- 
mine the destination. The re/16 form is. used when the instruction’s. operand-size 
attribute is 16 bits; rel32 is used when the operand-size attribute is 32 bits. The result is 
stored in the 32-bit EJP register. With re/16, the upper 16 bits of the EJP register are 
cleared, resulting in an offset whose value does not exceed 16 bits. CALL. r/m16 and 
CALL r/m32 specify a register or memory location from which the absolute segment 
offset is fetched. The offset fetched from r/m is 32 bits for an operand-size attribute: of 32 
(r/m32), or 16 bits for an operand-size of 16 (r/m16). The offset.of the instruction: follow- 
ing the CALL instruction is pushed onto the stack. It will be popped by..a near RET 
instruction within the procedure. The CS register is not changed by this form of CALL. 
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The far calls, CALL ptr16:16 and CALL pitr16:32, use a four-byte or six-byte operand as 
a long pointer to the procedure called. The CALL m16:16 and m16:32 forms fetch the 
long pointer from the memory location specified (indirection). In Real Address Mode or 
- Virtual 8086 Mode, the long pointer provides 16 bits for:the CS register and 16 or 32 bits 
for the EJP register (depending on the operand-size attribute). These forms of the 
instruction push both the CS and IP or EIP registers as a return address. | 


In Protected Mode, both long pointer forms consult the AR byte in the descriptor 
indexed by the selector part of the long pointer.. Depending on the value of the AR. mac 
the call will perform one of the following types of control transfers: met 


o A far call to the same protection level 

eo An inter-protection level far call 

e A task switch | 

A CALL-indirect-thru-memory, which uses the stack pointer (ESP) as a base register, 


references memory before the CALL. The base used is the value of the ESP before the 
instruction executes. 


For more information on Protected Mode control transfers, refer to Chapter 6 and 
Chapter 7. 


Flags Affected 


All flags are affected if a task switch occurs; no flags are affected if a task switch does 
not occur. 


Protected Mode Exceptions 
For far calls: #GP, #NP, #SS, and #TS, as indicated in the “Operation” section. 


For near direct calls: #GP(0) if procedure location is beyond the code segment limits; 
#SS(0) if pushing the return address exceeds the bounds of the stack segment; #PF 
(fault-code) for a page fault; #AC for unaligned memory reference if the current privi- 
lege level is 3. 


For a near indirect call: #GP(0) for an illegal memory operand effective address in the 
CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; 
#GP(0) if the indirect offset obtained is beyond the code segment limits; #PF(fault- 
code) for a page fault; #AC for unaligned memory reference if the current privilege 
level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 
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Virtual 8086 Mode exceptions” 


Same exceptions as in Real dares Mode; #PF (fault-code) for : a page fault; #AC for | 
UBeEnee memory reference if the current epinicees level is 3. 


Notes 
Any far call from a 32-bit code segment to a 16-bit code segment should be made from 


the first 64K bytes of the 32-bit code segment, because the operand-size attribute of the 
instruction is set to 16, allowing only a 16-bit return address offset to be saved. 
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sia la Convert Byte to nen Word to Double- 
_ word | 


Instruction ere pinks Description 


CBW ; so * ' AX <— sign-extend of AL 
CWDE 3 EAX < sign-extend of AX 


Operation 
IF OperandSize = 16 (* instruction = CBW *) 
THEN AX <— SignExtend(AL); 
ELSE (* OperandsSize = 32, instruction = CWDE real 

EAX < SignExtend(Ax); © 
Fl; 
Description 
The CBW instruction converts the signed byte in the AL register to a signed word in the 
AX register by extending the most significant bit of the AL register (the sign bit) into all 
of the bits of the AH register. The CWDE instruction converts the signed word in the 
AX register to a doubleword in the EAX register by extending the most significant bit of 
the AX register into the two most significant bytes of the EAX register. Note that the 


CWDE instruction is different from the CWD instruction. The CWD instruction uses 
the DX:AX register pair rather than the EAX register as a destination. 


Flags Affected 


None. 


Protected Mode Exceptions 
None. 
Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


None. 
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CLC —Clear Carry Flag 


Operation 

CF < 0; 

Description 

The CLC instruction clears the CF flag. It does not affect other flags or registers. 


Flags Affected 

The CF flag is cleared. 

Protected Mode Exceptions : . ee 
None. oe geo Sale er ge 
Real Address Mode Exceptions 
None. - 


Virtual 8086 Mode Exceptions 


None. 
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CLD — Clear Direction Flag 


Opcode Instruction Clocks Description 


FC 2 Clear direction flag; SI and DI! will increment dur- 
ing string instructions 


Operation 
DF < 0; 
Description 


The CLD instruction clears the direction flag. No other flags or registers are affected. 
After a CLD instruction is executed, string operations will increment the index registers 
(SI and/or DI) that they use. | | 


Flags Affected 

The DF flag is cleared. 
Protected Niode Exceptions 
None. | | 

Real Address Mode Exceptions 


None. 


- Virtual 8086 Mode Exceptions 


None. 
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CLI—Clear Interrupt Flag 


Operation 


IF <— 0; 


Description 
The CLI instruction clears the IF flag if the current privilege level is at least as siivdlesed 


as IOPL. No other flags are affected. External interrupts are not recognized at the end 
of the ‘CLI instruction or from that point on until the IF flag is set. 7 


Flags Affected 


The IF flag is cleared. 
Protected Mode Exceptions 
#GP(0) if the current privilege level is greater (has less privilege) than the I/O privilege 


level in the flags register. The I/O privilege level specifies the least privileged level at 
which I/O can be performed. | 


Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


#GP(0) as for Protected Mode. 
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CLTS —Clear Task-Switched Flag in CRO 


Opcode Instruction Clocks Description 
OF 06 CLTS 7 Clear task-switched flag 
Operation 


TS Flag in CRO < 0; 


Description 
The CLTS instruction clears the task-switched (TS) flag in the CRO register. This flag is 


set by the processor every time a task switch occurs. The TS flag is used to manage 
processor extensions as follows: 


e Every execution of an ESC instruction is trapped if the TS flag is set. 


e Execution of a WAIT instruction is trapped if the MP flag and the TS flag are both 
set. : 


Thus, if a task switch was made after an ESC instruction was begun, the floating-point 
unit’s context may need to be saved before a new ESC instruction can be issued. The 
fault handler saves the context and clears the TS flag. 


The CLTS instruction appears in operating system software, not in application pro- : 
grams. It is a privileged instruction that can only be executed at privilege level 0. 


Flags Affected 
The TS flag is cleared (the TS flag is in the CRO register, not the flags register). 


Protected Mode Exceptions 


#GP(0) if the CLTS instruction is executed with a current privilege level other than 0. 


Real Address Mode Exceptions 


None (valid in Real Address Mode to allow initialization for Protected Mode). 


Virtual 8086 Mode Exceptions 


Same exceptions as in Protected Mode. 
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CMC — Complement Carry Flag 


Operation 


CF <— NOT CF; 

Description 

The CMC instruction reverses the setting of the CF flag. No other flags are affected. 
Flags Affected a ; - Fa eMiaae tt 
The CF flag contains the complement of its sien value 7 

Protected Mode Exceptions ; 

Real Address Mode Exceptions 

None. . a 


Virtual 8086 Mode Exceptions 


None. 
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CMP— Compare Two Operands 


Opcode Instruction Clocks _ Description — 


3C ib CMP AL,imm8 - Compare immediate byte to AL 

3D iw CMP AX,imm16 Compare immediate word to AX 

3D id CMP EAX,imm32 Compare immediate dword to EAX 

80 /7 ib CMP r/m8,imm8 Compare immediate byte to r/m byte 

81 /7 iw CMP r/m16,imm16 Compare immediate word to r/m word 

81 /7 id CMP r/m32,imm32 Compare immediate dword to r/m dword 

83 /7 ib CMP r/m16,imm8 Compare sign extended immediate byte to r/m word 

83 /7 ib CMP r/m32,imm8 Sue sign extended immediate byte to r/m 
3 wor: 

38 /r CMP r/m68,r8 Compare byte register to r/m byte 

39 /r CMP r/m16,r16 Compare word register to r/m word 

39 /r CMP 1r/m32,r32 Compare dword register to r/m dword 

3A /r CMP r8,r/m8 Compare r/m byte to byte register 

3B /r CMP r16,r/m16 Compare r/m word to word register 

3B /r CMP r32,r/m32 Compare r/m dword to dword register 


Operation 


LeftSRC - SignExtend(RightSRC); 
(* CMP does not store a result; its purpose is to set the flags *) 


Description 


The CMP instruction subtracts the second operand from the first but, unlike the SUB 
instruction, does not store the result; only the flags are changed. The CMP instruction is 
typically used in conjunction with conditional jumps and the SETcc instruction. (Refer to 
Appendix D for the list of signed and unsigned flag tests provided.) If an operand 
greater than one byte is compared to an immediate byte, the byte value is first 
sign-extended. 


Flags Affected 


The OF, SF, ZF, AF, PF, and CF flags are set according to the result. 


Protected Mode Exceptions 


-#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 
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Virtual 8086 Mode Exceptions 


Same = centions as in Real Address Mode; #PF(fault- code) for a paged fault; #AC for 
unaligned memory peESTCUCE if. the current privilege level is 3. | 
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CMPS/CMPSB/CMPSW/CMPSD — Compare String Operands 


Instruction Description 


CMPS m8&,m8 Compare bytes ES:{(E)DI] (second operand) 
with [(E)SI] (first operand) . 

CMPS m16,m16 Compare words ES:[(E)DI!] (second eperania) | 
with [(E)SI] (first operand) 


CMPS m32,m32 ! Compare dwords ES:{(E)Dl] (second operand) 
with {(E)SI] (first operand) 

CMPSB | Compare bytes ES:[(E)DI] with DS:[S]] 

CMPSW Compare words ES:[(E)Dl] with DS:[S]] - 

CMPSD Compare dwords ES:[(E)DI] with DS:[{S]] 


Operation 


IF (instruction = CMPSD) OR 
(instruction has operands of type DWORD) 
THEN OperandSize < 32; 
ELSE OperandSize < 16; 
Fl; 
IF AddressSize = 16 
THEN 
use SI for source-index and DI for destination- index 
ELSE (* AddressSize = 32 *) | | 
use ESI for source-index and EDI for destination- index: 
Fl; 
_ IF byte type of instruction 
THEN © 
set ZF based on 
[Source-index] - [destination-index]; (* byte comparison *) 
IF DF = 0 THEN IncDec < 1 ELSE IncDec <— —1; Fl; 
ELSE 
IF OperandSize = 16 
THEN 
set ZF based on | 
[source-index] - [destination-index]; (* word comparison *) 
IF DF = 0 THEN IncDec < 2 ELSE IncDec < —2; FI; 
ELSE (* OperandSize = 32 *) 
set ZF based on —_ 
[source-index] - [destination-index]; (* dword comparison *) 
IF DF = 0 THEN IncDec < 4 ELSE IncDec <— —4; FI; 
Fl; 
Fl; 
source-index = source-index + IncDec; 
destination-index = destination-index + IncDec; 


Description 


The CMPS instruction compares the byte, word, or doubleword pointed to by the 
source-index register with the byte, word, or doubleword pointed to by the destination- 
index register. ? 
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If the address-size attribute of this instruction is 16 bits, the SI.and DI registers will be 
used for source- and destination-index registers; otherwise the ESI and EDI registers 
will be used. Load the correct index values into the SI and DI (or) ESI and aca registers 
before execumne the’ oNrS instruction. 


The comparison is done ete dine the operand indexed by the destination- index 
register from the: ete indexed by the source-index register. © 


Note that the smecion of subtraction for the CMPS instruction is [SI] — [DI] or [ESI] — 
[EDI]. The left operand (SI or ESI) is the source and the right operand (DI or EDI) is 
the destination. This is the reverse of the usual Intel convention in which the lett Se 
and is the destination and the nent operand is the source. | 


The result of the subtraction is not stored; only the flags reflect the change. The types of 
the operands determine whether bytes, words, or doublewords are compared. For the 
first operand (SI or ESI), the DS register is used, unless a segment override byte is 
present. The second operand (DI or EDI) must be addressable from the ES register; no 
segment override is possible. | 


After the comparison is made, both the source-index register and destination-index reg- 
ister are automatically advanced. If the DF flag is 0 (a CLD instruction was executed), 
the registers increment; if the DF flag is 1 (an STD instruction was executed), the 
registers decrement. The registers increment or decrement by 1 if a byte is compared, by 
2 if a word is compared, or by 4 if a doubleword is compared. 


The CMPSB, CMPSW and CMPSD instructions are nouns for the ee word, ana 
doubleword CMPS instructions, TESPSRIVEN: 


The CMPS instruction can be preceded by the REPE or ¢ REPNE Gieex for block com- 
parison of CX or ECX bytes, words, or doublewords. Refer to the eens of ao 
REP instruction for more information on this operation. | 


Flags Affected 
The OF, SF, ZF, AF, PF, and CF flags are set according to the result. 
Protected Mode Exceptions 


#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault- code) for a page 
fault; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode SExcepyons 


anaes 13 if any part of the opera: would lie outside of the effective addres space 
from 0 to OFFFFH. : 


26-60 


intel : INSTRUCTION SET 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. | | 
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CMPXCHG — Compare and Exchange 


Opcode ~_ =. Instruction | .-: ‘Clocks: ' Description eee , 
OF BO/r CMPXCHG r/m8,r8 ° 6/7 if comparisonis - ‘ Compare AL with r/m byte: If equal, set ZF and — 
successful; 6/10 if load byte reg into r/m byte. Else, clear ZF and 
"comparison fails. load r/m byte into AL. 
OF B1/r CMPXCHG 6/7 if comparison is Compare AX with r/m word. If equal, set ZF and 
r/m16,r16 successful; 6/10 if load word reg into r/m word. Else, clear ZF and 
comparison fails load r/m word into AX. 
OF B1/r CMPXCHG 6/7 if comparison is Compare EAX with r/m dword. If equal, set ZF 
/mM32,1r32 successful; 6/10 if and load dword reg into r/m dword. Else, clear 
comparison fails ZF and load r/m dword into EAX. 


Operation 


IF accumulator = DEST 
— ZFed 
DEST <— SRC 
ELSE 
ZF<0O 
accumulator <— DEST 


Description 


The CMPXCHG instruction compares the accumulator (AL, AX, or EAX register) with 
DEST. If they are equal, SRC is loaded into DEST. Otherwise, DEST is loaded into the 
accumulator. 


Flags Affected 


The CF, PF, AF, SF, and OF flags are affected as if a CMP instruction had been 
executed with DEST and the accumulator as operands. The ZF flag is set if the destina- 
tion operand and the accumulator are equal; otherwise it is cleared. 


Protected Mode Exceptions 


#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF (fault code) for a page fault; #AC for unaligned memory reference 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH. 
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Virtual 8086 Mode Exceptions 


Same exceptions as in real-address mode; #PF (fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Notes 


This instruction can be used with a LOCK prefix. In order to simplify interface to the 
processor’s bus, the destination operand receives a write cycle without regard to the 
result of the comparison. DEST is written back if the comparison fails, and SRC is 
written into the destination otherwise. (The processor never produces a locked read 
without also producing a locked write.) This instruction is not supported on Intel386 
processors. See Section 3.11 to use CMPXCHG compatible with Intel386 processors. 
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CWD/CDQ-—Convert Word to Doubleword/Convert Doubleword | 
_to Quadword . 


Opcode instruction ~ ‘Clocks -:)°. '-: Description 


99 CWD 3 DX:AX < sign-extend of AX 
99 CDQ 3 EDX:EAX < sign-extend of EAX 


Operation heen ae 
IF OperandSizé = = 16 5 cwD instruction oe 
THEN ae 

IF AX’ < 0 THEN DX'<— OFFFFH; ELSE DX < <_ 0: Fi; 
ELSE (* OperandSize ‘= 32, CDQ ‘instruction *) 

IF EAX < 0 THEN EDX < OFFFFFFFFH; ELSE EDX < 0; Fl: 
Fl; 
Description 
The CWD instruction converts the signed-word in the AX register to a signed double- 
word in the DX:AX register pair by extending the most significant bit of the AX register 
into all the bits of the DX register. The CDQ instruction converts the signed doubleword 
in the EAX register to a signed 64-bit integer in the register pair EDX:EAX by extend- 
ing the most significant bit of the EAX register (the sign bit) into all the bits of the EDX 
register. Note that the CWD instruction is different from the CWDE instruction. The 


CWDE instruction uses the EAX register as a destination, instead of the DX:AX regis- 
ter pair. 


Flags Affected 


None. 


Protected Mode Exceptions 


None. 


Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


None. 
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DAA — Decimal Adjust AL after Addition 


Operation 


tmpAL=AL 
IF ((tmpAL AND OFH) > 9) OR (AF = 1) 
THEN 
AL <— tmpAL + 6; 
AF < 1: 
ELSE 
AF < 0; 
Fl; | 
IF (tmpAL > 9FH) OR (CF = 1) 
THEN 
AL <— tmpAL + 60H; 
CF <1; 
ELSE CF < 0; 
Fl; 


Description 
Execute the DAA instruction only after executing an ADD instruction that leaves a 
two-BCD-digit byte result in the AL register. The ADD operands should consist of two 


packed BCD digits. The DAA instruction adjusts the or register to contain the correct 
two-digit packed decimal result. 


Flags Affected 


The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal 
carry; the SF, ZF and PF flags are set according to the result. The OF flag is undefined. 


Protected Mode Exceptions 
None. 
Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


None. 
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DAS — Decimal Adjust AL after Subtraction 


Operation 
tmpAL = AL : 
IF (tmpAL AND OFH) > 9 OR AF = 1 
THEN 
AL <— tmpAL — 6; 
AF <— 1; 


IF (tmpAL > 9FH) OR (CF = 1) 
THEN 
AL <— tmpAL — 60H; 
CF < 1; 
ELSE CF < 0; 
Fl; 


Description 
Execute the DAS instruction only after a subtraction instruction that leaves a two-BCD- 
digit byte result in the AL register. The operands should consist of two packed BCD 


digits. The DAS instruction. adjusts the AL register to contain the correct panes two- 
digit decimal result. | 


Flags Affected 


The AF and CF flags are set if there is a decimal carry, cleared if there is no decimal 
carry; the SF, ZF and PF flags are set according to the result. The OF flag is undefined. 


Protected Mode Exceptions 


None. 


Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


None. 
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DEC — Decrement by 1 


Instruction . ‘Clocks Description 


- DEC r/m8 1/3 Decrement r/m byte by 1 - 
DEC r/mi6 1/3 Decrement r/m word by 1 


~ DEC r/m32 | AB Decrement r/m dword by 1 
DEC rié6 | 1 Decrement word register by 1 
DEC r32 1 Decrement dword register by 1 


Operation 


DEST < DEST -— 1; 


Description 
The DEC instruction subtracts 1 from the operand. The DEC instruction does not 


change the CF flag. To affect the CF flag, use the SUB i instruction, with an immediate 
operand of 1. 


Flags Affected | 


The OF, SF, ZF, AF, and PF flags are set according to the result. | 


Protected Mode Exceptions 
#GP(0) if the result is a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 


the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference 
if the current privilege level is 3. a | | 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would he outside of the effective address “space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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D!IV — Unsigned Divide 


Instruction Clocks Description 
DIV AL,r/m8. . . *) 16/16 Unsigned divide AX by rim byte (AL= Quo, 

ee ee ee ere AH = Rem) . 
DIVAX,r/m16.. » 24/24 | Dene DX: AX by r/m word (AX = Quo, 


DIVEAX,/m32.. . 40/40 Unsigned divide EDX:EAX by r/m dword 
; Beare ae ; (EAX = Quo, EDX = Rem) | 


Operation 


temp < dividend / divisor; 

IF temp does not fit in quotient 

THEN Interrupt 0; 

ELSE — | 4 

| _ quotient - <— ~ temp; oe ee 
remainder < dividend MOD aan 

Fl; 


Note: Divisions are unsigned. The divisor is given by the r/m operand. The dividend, 
quotient, and remainder use implicit registers. Refer to the table under “Description.” 


Description 


The DIV instruction performs an unsigned division. ‘The dividend is implicit; only the 
divisor is given as an operand. The remainder i is always less than the divisor. The type of 
. the divisor. determines which registers to use as follows: 


Flags Affected 
The OF, SF, ZF, AF, PF, CF flags are undefined. 
Protected Mode Exceptions 


Interrupt 0 if the quotient is too large to fit in the designated register (AL, AX, or 
EAX), or if the divisor is 0; #GP(0) for an illegal memory operand effective address in 
the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; 
#PF(fault- code) for a page fault; #AC for unaligned memory reference if the current 
privilege level is 3. 
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Real Address Mode Exceptions 
Interrupt 0 if the quotient is too big to fit in the designated register (AL, AX, or EAX), 


or if the divisor is 0; Interrupt 13 if any part of the operand would lie outside of the 
effective address space from 0 to OFFFFH. , 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilcee level is 3. 
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ENTER — Make Stack Frame for Procedure Parameters | 


Opcode .. - Instruction...  -.° Clocks. —* . Description . 
C8iw00 |. ENTERimm160 .° 14 °° + Make procedure stack frame 


C8 iw01 ENTER imm16,1 17 _.: . .' Make-stack frame for procedure parameters 
C8 iwib ENTER imm16,imm8 17+3n Make stack frame for procedure parameters 


pester 


level <— sie MOD 32 a : : 
IF OperandSize = 16 THEN Push(BP) ELSE Push (EBP) F 
(* Save stack pointer *) 
frame-ptr <— eSP 
IF level > O 
THEN (* level is rightmost parameter *) 
FOR i< 1 TO level — 1 
DO 
IF OperandSize = 16 
THEN 
BP < BP — 2; 
Push[BP] 7 
ELSE (* OperandSize = 32 *) 
EBP < EBP -— 4; | 
Push[EBP}]; 
OD; 
Push(frame-ptr) 
FI; 
IF OperandSize = 16 THEN BP < frame-ptr ELSE EBP < frame-ptr; FI; 
IF StackAddrSize = 16 , 
THEN SP < SP — First operand; | 
ELSE ESP < ESP — ZeroExtend(First operand); 
Fl; 


Description 


The ENTER instruction creates the stack frame required by most block-structured high- 
level languages. The first operand specifies the number of bytes of dynamic storage 
allocated on the stack for the routine being entered. The second operand gives the 
lexical nesting level (0 to 31) of the routine within the high-level language source code. It 
determines the number of stack frame pointers copied into the new stack frame from the 
preceding frame. The BP register (or EBP, if the operand-size attribute is 32 bits) i is the 
current stack frame poner 


If the operand-size attaibuite is 16 bits, the processor uses the BP register as the frame 
pointer and the SP register as the stack pointer. If the operand-size attribute is 32 bits, 
the processor uses the EBP register for the frame pointer and the ESP register for the 
stack pointer. 
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If the second operand is 0, the ENTER instruction pushes the frame pointer (BP or EBP 
register) onto the stack; the ENTER instruction then subtracts the first operand from 
the stack pointer and sets the frame pointer to the current stack-pointer value. 

For example, a procedure with 12 bytes of local variables would have an ENTER 12,0 


instruction at its entry point and a LEAVE instruction before every RET instruction. 
The 12 local bytes would be addressed as negative offsets from the frame pointer. | 


Flags Affected 
None. 


Protected Mode Exceptions 


#SS(0) if the SP or ESP value would exceed the stack limit at any point during instruc- 
tion execution; #PF(fault-code) for a page fault. 


Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


None. 
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F2XM1 — Compute 2*—1— 


Opcode Instruction = —- Clocks © Concurrent Execution 


Description 


D9 FO FOXM1 242 (140-279) 2 


Operation 
ST <— (2°'-1); 


Description 


Replace ST with (25T—1) 


F2XM1 replaces the contents of ST with (2°'—-1). ST must lie in the range —1 < ST < 


1. 
FPU Flags Affected 
C1 as described in Table 15-1; CO, C2, C3 undefined. | 


Numeric Exceptions 


Po Dl IS:. 


Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CR0 is set. 


Virtual 8086 Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Notes 


If the operand is outside the acceptable range, the result of F2XM1 is undefined. 


The F2XM1 instruction is designed to produce a very accurate result even when the | 
operand is close to zero. Larger errors are incurred for operands with magnitudes very 


close to 1. 


Values other than 2 can be exponentiated using the formula 


XY = oy x logex) 
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The instructions FLDL2T and FLDLZ2E load the constants log,10 and log,e, respec- 
tively. FYL2X can be used to calculate y x log,x for arbitrary positive x. 
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FABS — Absolute Value 


Opcode Instruction Clocks Description 
D9 E1 FABS 3 Replace ST with its absolute value. 


Operation 


sign bit of ST — 0 


Description | 


The absolute value instruction clears the sign bit of ST. This operation leaves a positive | 
value unchanged, or replaces a negative value with a positive value of equal magnitude. 


FPU Flags Affected 
C1 as described in Table 15-1; CO, C2, C3 undefined. 


Numeric Exceptions 
IS.. 
Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Notes 


The invalid-operation exception is raised only on stack underflow, even if the operand is 
signalling NaN or is in an unsupported format. 
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FADD/FADDP/FIADD — Add 


“Instruction _ Clocks | Concurrent Execution © Description 


FADD m32 real 10 (8-20) 7 (5-17) Add m32real to ST. 

FADD m64real 10 (8-20) 7 (5-17) Add m64real to ST. 

FADD ST, ST(i) 10 (8-20) 7 (5-17) Add ST(i) to ST. 

FADD ST(i), ST 10 (8-20) 7 (5-17) Add ST to ST(i). 

FADDP ST(i), ST 10 (8-20) 7 (5-17) Add ST to ST(i) and pop ST. 
FADD — — 10 (8-20) = ~=—7 (5-17) aes Add ST to ST(1) and pop ST. 
FIADD m32int 22.5 (19-32) 7 (5-17) Add m32int to ST. a gee 
FIADD m16int 24 (20-35) 7 (5-17) Add m16int to ST] 


Operation 


DEST < DEST .+SRC; 
If instruction = FADDP THEN pop ST FI; 


Description 


The addition instructions add the source and destination operands and return the sum to 
the destination. The operand at the stack top can be doubled by coding: 


FADD ST, ST(0) 


FPU Flags Affected 


Cl as described in Table 15-1; CO, C2, C3 undefined. 


Numeric Exceptions 


P, U, O, D, I, IS. 


Protected Mode Exceptions 


#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF (fault-code) for a page 
fault; #NM if either EM or TS in CRO is set; #AC for unaligned memory reference if 
the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 
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Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF (fault code) for a page fault; #AC for 
unaligned memory reference if the current paves level is 3 3. 


Notes 


if the source operand i is in memory, it is automatically converted to the extended-real 
format. | | | 
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FBLD — Load Binary Coded Decimal 


Opcode Instruction Clocks Concurrent Execution Description 


DF /4 FBLD m80 dec 75 (70-103) = 7.7 (2-8) _ Push m80dec onto the FPU stack. 


Operation 


Decrement FPU stack-top pointer; 
ST(0) < SRC; 


Description 


FBLD converts the BCD source operand into extended-real format, and pushes it onto 
the FPU stack. See Figure 15-10 for BCD data layout. 


FPU Flags Affected 


C1 as described in Table 15-1; C0, C2, C3 undefined. ~ 


Numeric Exceptions 


IS. 


Protected Mode Exceptions 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF (fault-code) for a page 


fault; #NM if either EM or TS in CRO is set; #AC for unaligned memory reference if 
the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from | 
0 to OFFFFH; Interrupt 7 if either EM or TS in CR0 is set. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF (fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Notes 


The source is loaded without rounding error. The sign of the source is preserved, includ- 
ing the case where the value is negative zero. 
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The packed decimal digits are assumed to be in. the range 0-9. The instruction does not 
check for invalid ene er and the result of re to load an invalid encoung, 
is undefined. ha a 


ST(7) must be empty to einen an visdiicahcel saaiels 7 ; | 
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FBSTP — Store Binary Coded Decimal and Pop 


Opcode Instruction Clocks Description 
DF /6 FBSTP m80dec 175 (172-176) Store ST in m80dec and pop ST. 
Operation 
DEST <— ST(0); 
pop ST FI; 
Description 


FBSTP converts the value in ST into a packed decimal integer, stores the result at the 
destination in memory, and pops ST. Non-integral values are first rounded according to 
the RC field of the control word. See Figure 15-10 for BCD data layout. — 


FPU Flags Affected 
C1 as described in Table 15-1; CO, C2, C3 undefined. 


Numeric Exceptions 


P, I, IS. 


Protected Mode Exceptions 
#GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory 
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 


address in the SS segment; #PF (fault-code) for a page fault; #NM if either EM or TS 
in CRO is set; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF (fault. code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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FCHS — Change Sign 


Operation 


sign bit of ST — NOT (sign bit of ST) 


Description 


The change sign instruction inverts the sign bit of ST. This operation replaces a positive 
value with a ee value. of eae magmuiuce, or vice-versa. | 


FPU Flags Affected — 

C1 as described in Table 15-1; CO, C2, C3 undefined. 
Numeric Exceptions 

IS. 

Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real pacKe>. Mode Exceptions 


Interrupt 7 if either EM or TS in CRO i is set. 


Virtual 8086 Mode Eicoutions 
#NM if either EM or TS in CRO is set. 
Notes | 


The invalid-operation exception is raised only on stack underflow, even if the operand is 
a signalling NaN or is in an unsupported format. 
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FCLEX/ FNCLEX — Clear Exceptions — 


Opcode instruction Clocks Description 


9B DB E2 FCLEX . | 7 +. at least 3 for Clear floating-point exception flags after check- 
FWAIT | 


ing for floating-point error conditions. 


DB E2 FNCLEX | 7 Clear floating-point exception flags without 
checking for floating-point error conditions. 


Operation _ 


SWI0..7] <— 0: 
SW[15] <— 0; 


Description 


FCLEX clears the exception flags, the exeplows status s flag, and the oe mae of the 
FPU status word. | 


FPU Flags Affected 


C0, C1, C2, C3 undefined. 


Numeric Exceptions | 


None. 


Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


a 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


NM if either EM or TS in CRO is set. 


Notes 


FCLEX checks for unmasked floating- pom error conditions before clearing the eXxcep- 
tion flags; FNCLEX does not. 7 
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FCOM/FCOMP/FCOMPP — neice Real 


Instruction Description 


FCOM m32real: 
FCOM m64real — 
FCOM ST(i) 
FCOM 
FCOMP m32real 
FCOMP m64real 
FCOMP ST(i) 
FCOMP 
FCOMPP 


Compare ST with m32real. 

Compare ST with m64real. 

Compare ST with ST(i). 

Compare ST with ST(1). 

Compare ST with m32real and pop ST. 
Compare ST with m64real and pop ST. 
Compare ST with ST(i) and pop ST. 
Compare ST with ST(1) and pop ST. 
Compare ST with ST(1) and pop ST twice. 


OpL,_AADRAARA A 


Operation 


CASE (relation of operands) OF 
Not comparable: C3, C2, CO < 111; 


ST > SRC: C3, C2, CO <— 000; 
| ST < SRC: | C3, C2, CO < 001; 
ST = SRC: C3, C2, CO < 100; 


IF instruction = FCOMP THEN pop ST; FI; 
IF instruction = FCOMPP THEN pop ST; pop ST; FI; 


Description 


The compare real instructions compare the stack top to the source, which can be a 
register or a single- or double-real memory operand. If. no operand is encoded, ST is 
compared to ST(1). Following the instruction, the condition codes reflect the ren 
between ST and the source operand. . 


FPU Flags Affected 
C1 as described in Table 15-1; CO, C2, C3 as specified above. | 
Numeric Exceptions 


D, I, IS. 
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' Protected Mode Exceptions 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF (fault-code) for a page. — 


fault; #NM if either EM or TS in CRO is set; #AC for unaligned memory reference if 
the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF (fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. | 


Notes 


If either operand is a NaN or is in an undefined format, or if a stack fault occurs, the 
invalid-operation exception is raised, and the condition bits are set to “unordered.” 


The sign of zero is ignored, so that —0.0 =— +0.0. 
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FCOS—Cosine 


Operation 


IF operand is in range | 
THEN 

C2 — 0; 

ST < cos(ST); 
ELSE 

C2 <— 1; 
Fl; | 


Description 


The cosine instruction replaces the, contents of ST with cos(ST). ST, expressed in radi- 
ans, must lie in the range | 6 | < i | 


FPU Flags Affected 


C1, C2 as described in Table 15-1; CO, C3 undefined. 
Numeric Exceptions 

P, U, D, I, IS. 

Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 
#NM if either EM or TS in CRO is set. 
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Notes 


If the operand is outside the acceptable range, the C2 flag is set, and ST remains 
unchanged. It is the programmer's responsibility to reduce the operand to an absolute 
value smaller than 2°° by subtracting an appropriate integer multiple of 27. See Section 
17.5 for a discussion of the proper value touse for 7 in performing such reductions. 


The Intel486 CPU checks for interrupts while performing this instruction. It will be 
aborted to service an interrupt. 
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FDECSTP — Decrement Stack-Top Pointer 


Opcode Instruction : © Clocks | '- Deseription 


D9 F6 = = FDECSTP ' — 8 Decrement top: -of- stack pointer for FPU register 
ra ar ne, Say ae: : ; _ Stack. 7 4 


Operation 

IF TOP=0 

THEN TOP < 7; 
ELSE TOP <— TOP—1; 
FI; 


Description 


FDECSTP subtracts one (without carry) from the three-bit TOP field of the FPU status 
word. 


FPU Flags Affected 
Cl as described in Table 15-1; CO, C2, C3 undefined. 
Numeric Exceptions 


None. 


Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Notes 


The effect of FDECSTP is to rotate the stack. If does not alter ont tags or nee 
nor does it transfer data. 
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FDIV/FDIVP/FIDIV — Divide 


Opcode 


D8 /6 
DC /6 
D8 FO+i 
DC F8+i 
DE F8+i 
DE F9 
DA /6 
DE /6 


Clocks Concurrent Execution 


Instruction 


FDIV m32real 
FDIV m64real 


_FDIV ST, ST(i) 


FDIV ST(i), ST 
FDIVP ST(i), ST 
FDIVP 

FIDIV m32int 
FIDIV m16int 


Description 


Divide ST by m32real. 

Divide ST by m64real. 

Divide ST by ST(i) 

Replace ST(i) with ST(i) + ST 

Replace ST(i) with ST(i) + ST; pop ST. 
Replace ST(1) with ST(1) + ST; pop ST. 
Divide ST by m32int. 
Divide ST by m/16int. 


Operation 
F DIV DEST, SCR 


DEST < DEST + SCR. 
IF instruction = FDIVP THEN pop ST FI; 


Description 


The division instructions divide the stack top by the other operand and return the quo- 
tient to the destination. 


FPU Flags Affected 


C1 as described in Table 15-1; C0, C2, C3 undefined. 


Numeric Exceptions 


~ P, U, O, Z, D, I, IS. 


Protected Mode Exceptions 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 


fault; #NM if either EM or TS in CRO is set; #AC for unaligned memory reference if 
the current privilege level is 3. | 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode ee 


Same exceptions as in Real Address Mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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Notes 


If the source operand is in memory, it is automatically converted 1 to the extended- real 
_ format. 


The performance of the division instructions depends on the PC (Precision Control) 
field of the FPU control word. If PC specifies a precision of 53 bits, the division instruc- 
tions will execute in 62 clocks. If the specified precision is 24 bits, the division instruc- 
tions will take only Eb) clocks, | a Go: 3 
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FDIVR/FDIVPR/FIDIVR — Reverse Divide 


Opcode Instruction ~ Clocks Concurrent Execution Description — 


D8 /7 FDIVR m32real Replaces ST with m32real + ST. 

DC /7 FDIVR m64real Replace ST with m64real + ST. 

D8 F8+i FDIVR ST, ST(i) : . - Replace ST by ST(i) + ST. 

DC FO+i FDIVR ST(i), ST : . _ Divide ST(i) = ST + ST(i). | 

DE FO+i FDIVRP ST(i), ST Divide ST(i) = ST + ST(i) and pop ST. 
DE F1 FDIVRP | | Divide ST(1) = ST + ST(1) and pop ST. 
DA /7 FIDIVR m32int Replace ST with m32int + ST. 

DE /7 FIDIVR m16int Replace ST with m76int + ST. 


Operation 
FDIVR DEST, SRC 


DEST <— SRC + DEST 
IF instruction = FDIVRP THEN pop ST FI; 


Description 


The division instructions divide the OneE operand by the stack top and return the quo- 
tient to the destination. — 


FPU Flags Affected 


~ Cl as described in Table 15-1; CO, C2, C3 undefined. 


Numeric Exceptions 


P, U;.0:-Z, D, i IS. 


Protected Mode Exceptions 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 


fault; #NM if either EM or TS in CRO is set; #AC for unaligned memory reference if 
the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 7 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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Notes 


If the source operand is in memory, it is automatically converted to the extended-real 
format. | | | 


The performance of the reverse division instructions depends on the PC (Precision Con- 
trol) field of the FPU control word. If PC specifies a precision of 53 bits, the reverse 
division instructions will execute in 62 clocks. If the specified precision is 24 bits, the 
reverse division instructions will take only 35 clocks. : 
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FFREE—Free Floating-Point Register 


Operation 

TAG(i) <— 11B; 

Description 

FFREE tags the destination register as empty. 
FPU Flags Affected 

CO, C1, C2, C3 undefined. 

Numeric Exceptions : 

Sane: 

Protected Mode Exceptions 

#NM if either EM or TS in CRO is set. 
Real Address Mode Exceptions 

Interrupt 7 if either EM or TS ‘in CRO is set. 
Virtual 8086 Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Notes 


FFREE does not affect the contents of the destination register. The floating-point stack- 
top pointer (TOP) is also unaffected. 
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FICOM/FICOMP — Compare Integer 


Opcode __ Instruction Clocks Concurrent Execution Description 
DE /2 FICOM mi6real _—-18 (16-20) 1 Compare ST with m/16int. 


DA /2 FICOM m32real ~—: 16.5 (15-17) 1 Compare ST with m32int. 
DE /3 FICOMP m176int 18 (16-20) 1 Compare ST with m76int and pop ST. 
DA /3 FICOMP m32int 16.5 (15-17) 1 Compare ST with m32int and pop ST. 


_ Operation 


CASE (relation of operands) OF | 
Not comparable: C3, C2, CO < 111; 


ST > SRC: C3, C2, CO < 000; 
ST < SRC: C3, C2, CO < 001; 
ST = SRC: C3, C2, CO < 100; 


IF instruction = FICOMP THEN pop ST; FI; 


Description 


The compare integer instructions compare the stack top to the source. Following the 
instruction, the condition codes reflect the relation between ST and the source operand. 


FPU Flags Affected 


Cl as described in Table 15-1; CO, C2, C3 as specified above. 


Numeric Exceptions 


D, I, IS. 


Protected Mode Exceptions 


#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault; #NM if either EM or TS in CRO is set; #AC for unaligned memory reference if 
the current privilege level is 3. 
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Real Address Mode Exceptions 


Interupt 13 if any part of the operand would lie outside the effective address space from 
O to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Notes 


The memory operand is converted to extended-real format before the comparison is 
performed. 


If either operand is a NaN or is in an undefined format, or if a stack fault occurs, the 
invalid-operation exception is raised, and the condition bits are set to “unordered.” 
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FILD — Load Integer 


Instruction Clocks Concurrent Execution | _ Description : 


FILD m16int 14.5 (13-16) 4 7 ~ Push m/1éint onto the FPU Uti, 
FILD m32int 11.5 (9-12) 4 (2-4) ° Push m32int onto the FPU stack. 
FILD m64int 16.8 (10-18) 7.8 (2-8) ».’ Push m64int onto the FPU stack... 


Operation | 


Decrement FPU stack-top pointer; 
ST(0) <— SRC; 


Description 
FILD converts the source signed integer operand into extended-real format, and pushes 
it onto the FPU stack. 


FPU Flags Affected 


C1 as described in Table 15-1; CO, C2, C3 undefined. 


Numeric Exceptions 


IS. 


Protected Mode Exceptions 


#GP(0) for an illegal memory operand effectivfe address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) fora page 
fault; #NM if either EM or TS in on! is set; #AC for unaligned memory reference if 
the current privilege level is 3. _ 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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Notes 
The source is loaded without rounding error. 


ST(7) must be empty to avoid causing an invalid-operation exception. 
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FINCSTP — Increment Stack-Top Pointer 


Opcode Instruction Clocks ~ ...° Description = 


D9 F7 FINCSTP 3 4 . emen top-of-stack pointer for FPU register 
cs GE hy Peet ee _:, Stack: fgg Sapte en, Be, bs 


Operation 

IF TOP =7 

THEN TOP < 0; 

ELSE TOP < TOP + 1; 
Fl; 


Description 
FINCSTP adds one (without carry) to the three-bit TOP field of the FPU status word. 


FPU Flags Affected 


Clas described in Table 15-1; C0, C2, C3 undefined. 


_ Numeric Exceptions 


None. 


Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


#NM is either EM or TS in CRO is set. 


Notes 
The effect of FINCSTP is to rotate the stack. It does not alter register tags or contents, 


nor does it transfer data. It is not equivalent to popping the stack, because it does not set 
the tag of the old stack-top to empty. 
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FINIT/FNINIT — Initialize Floating-Point Unit 


Opcode ‘Instruction Clocks «--. Deseription: | 
DB E3 FINIT ne + al least 3 for Initialize FPU after checking for unmasked ~ | 
AIT 


floating-point error condition. 
DB/E3 FNINIT or, Se ea AS «Initialize FPU without checking for unmasked:: — 
. floating-point error condition. ' 


Operation — 

CW < 037FH; (* Control word *) 

SW < 0; (* Status word *) 

TW < FFFFH; (* Tag word *) 

FEA < 0; FDS < 0; (* Data pointer *) 

FIP — 0; FOP — 0; FCS < 0; (* Instruction pointer *) 


Description 


The initialization instructions set the FPU into a known state, unaffected by any previ- 
ous activity. 


The FPU control word is set to 037FH (round to nearest, all exceptions masked, 64-bit 
prevision). The status word is cleared (no exception flags set, stack register RO=stack- 
top). The stack registers are all tagged as empty. The error pointers (both instruction and 
data) are cleared. 


FPU Flags Affected 


C0, C1, C2, C3 cleared. 


Numeric Exceptions 


None. 


Protected Mode Exceptions | 


#¢NM if either EM or TS in CRO is set. 


Real Address Niode Exceptions. 


. Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


#NM if either EM or TS in CRO is set. 
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Notes 


FINIT checks for unmasked floating-point error conditions before performing the ini- 
tialization; FNINIT does not. | 


FINIT and FNINIT leave the FPU in the same state as that which results from a hard- 
ware RESET signal with Built-In Self-Test. 


On the Intel486 processor, unlike the Intel387 math coprocessor, FINIT and FNINIT 
clear the error pointers. | | 
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FIST/FISTP —Store Integer 


Instruction | | Clocks . “ . Description | 


FIST m16int 33.4 (29-34) Store ST in m76int. 
- FIST m32int —— 32.4 (28-34) Store ST in m32int.: | 


FISTP m16int 33:4 (29-34) _ Store ST.in m16int and pop. ST. 
FISTP md32int 33.4 (29-34) Store ST in m32int and pop ST. 
FISTP m64int 33.4 (29-34) ' Store ST in m64int and pop ST. 


Operation 


DEST < ST(0); 
IF instruction = FISTP THEN pop ST FI; 


Description 
FIST converts the value in ST into a signed integer according to the RC field of the 
control word and transfers the result to the destination. ST remains unchanged. FIST 


accepts word and short integer destinations; FISTP accepts these and long integers as 
well. 


FPU Flags Affected 


C1 as described in Table 15-1; CO, C2, C3 undefined. 


Numeric Exceptions 


P, I, IS. 


Protected Mode Exceptions 
#GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory 
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 


address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in 
CRO is set; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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Notes 
Negative: zero is stored with the same encoding (00. ~ as positive zero. 


If the value is too large. to represent as an integer, an I exception is raised. The masked 
response is to write su most negative integer to ene: 
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FLD — Local Real 


Instruction Clocks | Description 


FLD m32real 3 | Push m32real onto the FPU stack. 
FLD m64real Push m64real onto the FPU stack. 
FLD m80real Push m80real onto the FPU stack. 
FLD ST(i) Push ST(i) onto the FPU stack. 


Operation 


Decrement FPU stack-top pointer; 
ST(0) <— SRC; 


Description 


FLD pushes the source operand onto the FPU stack. If the source is a register, the 
register number used is that before the stack-top pointer is decremented. In particular, 
coding | 


FLD ST(0) 


duplicates the stack top. 


FPU Flags Affected 


C1 as described in Table 15-1; CO, C2, C3 undefined. 


Numeric Exceptions 


D, I, IS. 


Protected Mode Exceptions 


#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault; #NM if either EM or TS in CRO is set; #AC for unaligned memory reference if 
the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address Space from 
0 to OFFFFH; Interrupt f either EM or TS in ea is set. 
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Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault code) for a. ase fault; #AC for 
unaligned me terete if the current privilege level is 3. | 


Notes 

If the source operand is in single- or double-real format, it is automatically converted to 
the extended-real format. Loading an extended-real operand does not require conver- 
sion, SO ue I and D exceptions will not occur in this case. 


ST(7) must be empty to avoid causing an invalid-operation exception: 
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FLD1/FLDL2T/FLDL2E/ 
FLDPI/FLDLG2/FLDLN2/FLDZ—Load Constant 


Opcode Instruction Clocks Concurrent Execution Description 


D9 E8 FLD1 Push +1.0 onto the FPU Stack. 
D9 E9 FLDL2T Push log.10 onto the FPU Stack. 
D9 EA FLDL2E Push logse onto the FPU Stack. 
DS EB FLDPI Push a onto the FPU Stack. 

D9 EC FLDLG2 Push log;92 onto the FPU Stack. 
D9 ED FLDLN2 Push log,2 onto the FPU Stack. 
D9 EE FLDZ Push +0.0 onto the FPU Stack. 


Operation 


Decrement FPU stack-top pointer; 
ST(0) — CONSTANT; 


Description 


Each of the constant instructions pushes a commonly-used (in extended-real format) 
onto the FPU stack. 


PU Flags Affected 


C1 as described in Table 15-1; CO, C2, C3 undefined. 


Numeric Exceptions 


IS. 


Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


##NM if either EM or TS in CRO is set. 


Notes 


- ST(7) must be empty to avoid an invalid exception. 


26-103 


intel ; INSTRUCTION SET 


An suena 66- eine constant is ited and rounded to seca real format as peice 2 
the RC bit of the control words). The precision exception is not raised. 
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FLDCW —Load Control Word 


Operation 


CW < SRC; 


Description 


FLDCW replaces the current value of the FPU control word with the value contained in 
the specified memory word. | 


FPU Flags Affected 


C0, Cl, C2, C3 undefined. 


Numeric Exceptions 


None, except for unmasking an existing exception. 


Protected Mode Exceptions | 


#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault; #NM if either EM or TS in CRO is set; #AC for unaligned memory reference if 
the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Notes 
FLDCW is typically used to establish or change the FPU’s mode of operation. 
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If an exception bit in the status word is set, loading a new control word that unmasks 
that exception will result in a floating-point error condition. When changing modes, the 
recommended procedure is to clear any pending exceptions before loading the new con- 
trol word. es 
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FLDENV — Load FPU Environment 


Instruction => Clocks a, te Description 


FLDENV m14/ | _ 44 real or virtual/34 Load FPU environment from m14byte or 
28byte protected m28byte. 


Operation 


FPU environment <— SRC; 


Description 


FLDENV reloads the FPU environment from the memory area defined by the source 
operand. This data should have been written by previous FSTENV or FNSTENV 
instruction. 


The FPU environment consists of the FPU control word, status word, tag word, and 
error pointers (both data and instruction). The environment layout in memory depends 
on both the operand size and the current operating mode of the processor. The USE 
attribute of the current code segment determines the operand size: the 14-byte operand 
- applies to a USE16 segment, and the 28-byte operand applies to a USE32 segment. 
Figures 15-5 through 15-8 show the environment layouts for both operand sizes in both 
real mode and protected mode. (In virtual-8086 mode, the real mode layout is used.) 
FLDENV should be executed in the same operating mode as the corresponding 
FSTENV or FNSTENV. 


FPU Flags Affected 


C0, C1, C2, C3 as loaded. 


Numeric Exceptions 


None, except for loading an unmasked exception. 


Protected Mode Exceptions 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 


fault; #NM if either EM or TS in CRO is Set; #AC for unaligned memory reference if 
the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. . | 
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Virtual 8086 Mode Exceptions - 


Same exceptions as in Real Address Mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Notes 


If the environment image contains an anmacked exception, ne it will result in a 
floating-point error condition. | | 
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FMUL/FMULP/FIMUL — Multiply 


Instruction Clocks Concurrent Execution 


FMUL m32real 
FMUL m64real 
FMUL ST, ST(i) 
FMUL ST(i), ST 
FMULP ST(i), ST 
FMUL 


Description 


Multiply ST by m32real. 

Multiply ST by m64real. 

Multiply ST by ST(i) 

Multiply ST(i) by ST. 

Multiply ST(i) by ST and pop ST. 
Multiply ST(1) by ST and pop ST. 


FIMUL m32int 
FIMUL m176int 


23.5 (22-24) 
25 (23-27) 


Multiply ST by m32int. 
Multiply ST by m76int. 


Operation 


DEST < DEST x SRC; 
IF instruction = FMULP THEN pop ST FI; 


Description 


The multiplication instructions multiply the destination operand by the source operand 
and return the product to the destination. 


FPU Flags Affected 


Cl as described in Table 15-1; CO, C2, C3 undefined. 


Numeric Exceptions 


P, U, O, D, I. 


Protected Mode Exceptions 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 


fault; #NM if either EM or TS in CRO is set; #AC for unaligned memory reference if 
the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
O to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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Notes 


If the source operand is in memory, it. is automatically converted to the extended-real 
format. _ OB a a _ 
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FNOP — No Operation 


Opcode Instruction Clocks Description 
D9 DO FNOP 3 No operation is performed. 
Description 


FNOP performs no operation. It affects nothing except instruction pointers. 


FPU Flags Affected 
CO, C1, C2, C3 undefined. 


Numeric Exceptions 


None. 


Protected Mode Exceptions 


#:NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


#NM if either EM or TS in CRO is set. 
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FPATAN— - Partial Arctangent 


 Opcode Instruction Clocks” ok - Concurrent Execution ‘ ' Description © 


D9 F3 FPATAN ~ © 289 (218-303) . 5 (2-17) Replace ST(1) with arctan(ST(1) + ST) - 
ere Sceeiasa i tun- dod eden beak Oak Geet ho Bete ieee Eame- Sasa ty and.pop ST. .. ... ae, 
Operation 
ST(1) < arctan(ST(1) # ST); 
pop ST; 

Description 


The partial arctangent instruction computes the arctangent of ST(1) + ST, and returns 
the computed value, expressed in radians, to ST(1). It then pops ST. The result has the 
same sign as the operand from ST(1), and a magnitude less than tr. 


FPU Flags Affected 
Ci as pescanes in Table 15-1; CO, C2, C3 undefined. 


Numeric exeeptions 


pepe Cree © Pe eet icy 


Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 
#NM if either EM or TS in CRO is set. 


Notes 
There is no restriction on the range of arguments that FPATAN can accept. 


The fact that FPATAN takes two arguments and computes the arctangent of their ratio 
simplifies the calculation of other trigonometric functions. For instance, arcsin(x) (which 
is the arctangent of x + 1/(1—x*)) can be computed using the following sequence of 
operations: Push x onto the FPU stack; compute 1/(1—x’) and push the FeSuiLe value 
onto the stack; execute FPATAN. | 


The Intel486 CPU checks for interrupts while performing this instruction. It will abort 
this instruction to serve an interrupt. 


26-112 


intel P INSTRUCTION SET 


FPREM — Partial Remainder 


Opcode Instruction Clocks Concurrent Execution Description 


D9 F8 FPREM 84 (70-138) 2 (2-8) Replace ST with the remainder obtained on 
dividing ST by ST(1). 


Operation 


-EXPDIF < exponent(ST) — exponent(ST(1)); 
IF EXPDIF < 64 | . 
THEN | 
Q < integer obtained by chopping ST + ee ) toward zero; 
ST <— ST —.(ST(1) x Q); : 
C2 <— 0; fy ies 
CO, C1, C3 < three least-significant bits of Q; (* Q2, Q1, QO *) 
ELSE | 7 : 
C2 <1: 
N < a number between 32 and 63: 
QQ < integer obtained by chopping (ST + oTG 2S er) 
toward-zero; | i | 
ST — ST — (ST(1) x aa oy ae N. 
Fl; 


Description 


The partial remainder instruction computes the remainder obtained on dividing ST by 
ST(1), and leaves the result in ST. The sign of the remainder is the same as the sign of 
the original dividend in ST. The magnitude of the remainder is less than that of the 
modulus. 


FPU Flags Affected 


C0, C1, C2, C3 as described in Table 15-1. 


Numeric Exceptions 

U, D, I, IS. 

Protected Mode Exceptions 

#NM if either EM or TS in CRO is set. 
Real Address Mode Exceptions 

Interrupt 7 if either EM or TS in CRO is set. 
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Virtual 8086 Mode Exceptions 
#NM if either EM or TS in CRO is set. 
Notes | 


FPREM produces an exact result; the precision (inexact) exception does not occur and 
the rounding control has no effect. . 


The FPREM instruction is not the remainder operation specified in IEEE Std 754. To 
get that remainder, the FPREM1 instruction should be used. FPREM is supported for 
compatibility with the 8087 and 80287 math coprocessors. 


FPREM works by iterative subtraction, and can reduce the exponent of ST by no more 
than 63 in one execution. If FRPREM succeeds i in producing a remainder that is less than 
the modulus, the function is complete and the C2 flag is cleared. Otherwise, C2 is set, 
and the result in ST is called the partial remainder. The exponent of the partial remain- 
der is less than the exponent of the original dividend by at least 32. Software can 
re-execute the instruction (using the partial remainder in ST as the dividend) until C2 is 
cleared. A higher-priority interrupting routine that needs the FPU can | force a context 
switch between the instructions in the remainder OOD 


An important use Of FPREM is to reduce the arguments of Beige: functions. When 
reduction is complete, FPREM provides the three least-significant bits of the quotient in 
flags C3, C1, and CO. This is important in argument reduction for the tangent function 
(using a ‘modulus of 7/4), because it locates the original angle in the correct one of eight 
sectors of the unit circle. a ee a ae eet | 
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FPREM1 — Partial Remainder 


Opcode Instruction Clocks Concurrent Execution Description 


D9 F5 FPREM1 94.5 (72-167) 5.5 (2-18) Replace ST with the remainder obtained on 
dividing ST by ST(1). 


Operation 


EXPDIF <— exponent(ST) - _ ee )); 
IF EXPDIF < 64 
THEN | 
Q < integer obtained by chopping ST + oo ) toward zero; © 
ST <— ST — (ST(1) x Q);. | 
C2 < 0; 
CO, C1, C3 < three least- etl bits of Q; e Q2, Q1, Q0 *) 
ELSE 
C2 <— 1; 
N<a number between 32 and 63; . fe AS i 
QQ < integer nearest to (ST + ST(1)) + QE*POIFN. 
ST <— ST —- (ST(1) x QQ x DESPBIE:N: 
Fl; - | , 


Description | 


The partial remainder instruction computes the remainder obtained on dividing ST by 
ST(1), and leaves the result in ST. The magnitude of the remainder is less than half the 
magnitude of the modulus. 


FPU Flags Affected 


C0, C1, C2, C3 as described in Table 15-1. 
Numeric Exceptions 
U, D, I, IS. 


Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 
Interrupt 7 if either EM or TS in CRO is set. 
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Virtual 8086 Mode Exceptions 

#NM if either EM or TS in CRO is set. 

Notes | 

FPREM1 produces an exact result; the precision (inexact) exception does not ¢ occur and 
the rounding control has no effect. 


The FPREM1 instruction is the remainder operation specified in IEEE Std 754. It dif- 
fers from FPREM in the way it rounds the quotient of ST and ST(1). , 


FPREM 1 works by iterative subtraction, and can reduce the exponent of ST by no more 
_ than 63 in one execution. If FPREM1 succeeds in producing a remainder that is less 
than one half the modulus, the function is complete and the C2 flag is cleared. Other- 
wise, C2 is set, and the result in ST is called the partial remainder. The exponent of the 
partial remainder is less than the exponent of the original dividend by at least 32. Soft- 
ware can re-execute the instruction (using the partial remainder in ST as the dividend) 
until C2 is cleared. A higher-priority interrupting routine that needs the FPU can force 
a context switch between the instructions in the remainder loop. 


An important use of FPREM1 is to reduce the arguments of periodic feastiois When 
reduction is complete, FPREM1 provides the three least-significant bits of the quotient 
in flags C3, C1, and CO. This is important in argument reduction for the tangent function 
(using a modulus of 1/4), because it locates the original angle in the correct one of eight 
sectors of the unit circle. 
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FPTAN — Partial Tangent 


Opcode Instruction Clocks Concurrent Execution 


D9 F2 FPTAN 244 (200-273) 70 


Description 


Replace ST with its tangent and push 1 
onto the oe stack. 


Operation 


IF operand is in range 


THEN 
C2 < 0; 
ST < tan(ST); 
Decrement stack-top pointer; 
ST <= 1.0; 
ELSE 
C2 <1; 
Fl; 
Description 


The partial tangent instruction replaces the contents of ST with tan(ST), and then 
pushes 1.0 onto the FPU stack. ST, expressed in radians, must lie in the range | 6 | < 2° 


FPU Flags Affected 


C1, C2 as described in Table 15-1; CO, C3 undefined. 


Numeric Exceptions 
P, U, D, I, IS. 
Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address WMode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 
#NM if either EM or TS in CRO is set. 
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Notes 


If the operand is outside the acceptable range, the.C2 flag is set, and ST remains 
unchanged. It is the programmer’s responsibility to reduce the operand to an absolute 
value smaller than 2°: by subtracting an appropriate integer multiple of 27. See 
Section 17.5 for a discussion of the proper value to use for w in performing such 
reductions. 


The fact that FPTAN pushes 1.0 onto the FPU stack after computing tan(ST) maintains 
compatibility with the 8087 and 80287 math coprocessors, and simplifies the calculation 
of other trigonometric functions. For instance, the cotangent (which is the reciprocal of 
the tangent) can be computed by executing FDIVR after FPTAN. 

ST(7) must be empty to avoid an invalid-operation exception. 


The Intel486 CPU periodically checks for interrupts while performing this instruction. It 
will be aborted to service an interrupt. 7 
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FRNDINT — Round to Integer 


Opcode Instruction Clocks Concurrent Execution Description 
D9 FC FRNDINT 29.1 (21-30) 7.4 (2-8) Round ST to an integer. 
Operation 


_ ST < rounded ST; 


Description 


The round to integer instruction rounds the value in ST to an integer according to the 
RC field of the FPU control word. 


FPU Flags Affected 

C1 as described in Table 15-1; CO, C2, C3 undefined. - 
Numeric Exceptions | 

P, D, I, IS. 


Protected Mode Exceptions _ 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


#NM if either EM or TS in CRO is set. 
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FRSTOR — Restore FPU State 


Opcode Instruction _. Clocks. | Description 


DD /4 BAN ANeh m9g94/ 131 real or virtual/120 . Load FPU state from moAbyte or si 1oebyie: 
. . o8byte protected | | 


Operation 


FPU state < SRC; 


Description 


FRSTOR reloads the FPU ‘state (environment and register stack) from the memory area 
defined by the source operand. This data should have been written by a previous 
FSAVE or FNSAVE instruction. 


The FPU environment consists of the FPU control word, status word, tag word, and 
error pointers (both data and instruction). The environment layout in memory depends: 
on both the operand size and the current operating mode of the processor. The USE 
attribute of the current code segment determines the operand size: the 14-byte operand 
applies to a USE16 segment, and the 28-byte operand applies to a USE32 segment. 

Figures 15-5 through 15-8 show the environment layouts for both operand sizes in both 
real mode and protected mode. (In virtual-8086 mode, the real mode layout is used.) 
The stack registers, beginning with ST and ending with ST(7), are in the 80 bytes that 
immediately follow the environment image. FRSTOR should be executed in the same 
operating mode as the corresponding FSAVE or FNSAVE, a oe ee 


FPU Flags Affected 


CO, C1, C2, C3 as loaded. 


Numeric Exceptions 


None, except for loading an unmasked exception. 


Protected Mode Exceptions | 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 


fault; #NM if either EM or TS in CRO is set; #AC for unaligned memory reference if 
the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 
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Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault code) for a. page fault; #AC for 
unaligned memory reference if the current privilege level is 3. | 


Notes 


If the state image contains an unmasked exception, loading it will result in a floating- 
point error condition. 
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FSAVE/FNSAVE — Store FPU State 


Opcode —_—_iInstruction - =~ ~+Clocks' = ~=——...__—sODescription © 


9B DD /6 FSAVE m94/108byte —- 154 real or virtual/143 Store FPU state to m94byte or m108byte after 
protected; +. at least 3 checking for unmasked floating-point error con- 
for FWAIT dition. Then re-initialize the FPU. 
DD /6 FNSAVE m94/ 154 real or virtual/143 Store FPU environment to m94byte or m108byte 
108byte protected ~ without checking for unmasked floating-point — 
error condition. Then re-initialize the FPU. 


Operation 


DEST < FPU state; 
initialize FPU; (* Equivalent to FNINIT *) 


Description 


The save instructions write the current FPU state (environment and register stack) to 
the specified destination, and then re-initialize the FPU. The environment consists of 
the FPU control word, status word, tag word, and error pointers (both data and 
instruction). 


The state layout in memory depends on both the operand size and the current operating 
mode of the processor. The USE attribute of the current code segment determines the 
operand size: the 94-byte operand applies to USE16 segment, and the 108-byte operand 
applies to a USE32 segment. Figures 15-5 through 15-8 show the environment layouts for 
both operand sizes in both real mode and protected mode. (In virtual-8086 mode, the 
real mode layout is used.) The stack registers, beginning with ST and ending with ST(7), 
are stored in the 80 bytes that immediately follow the environment image. 


FPU Flags Affected 


CO, C1, C2, C3 cleared. 


Numeric Exceptions 


None. 


Protected Mode Exceptions 


#GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory 
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 
address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in 
CRO is set; #AC for unaligned memory reference if the current privilege level is 3. 
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Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
O to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Notes 


FSAVE and FNSAVE do not store the FPU state until all FPU activity is complete. 
Thus, the saved image reflects the state of the FPU after any previously decoded instruc- 
tion has been executed. 


If a program is to read from the memory image of the state following a save instruction, 
it must issue an FWAIT instruction to ensure that the storage is complete. 


The save instructions are typically used when an operating system needs to perform a 


context switch, or an exception handler needs to use the FPU, or an application program 
wants to pass a “clean” FPU to a subroutine. 
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FSCALE — Scale 


Operation 


ST <— ST x 287. 


Description 
The scale instruction interprets the value in ST(1) as an integer, and adds this integer to 


the exponent of ST. Thus, FSCALE provides rapid multiplication or orden as integral 
powers of 2. 


FPU Flags Affected ° 
Cl as : described i in | Table 15- 1; CO, C2, C3 undefined. 


Numeric Exceptions | 


P, U,O,D,L IS. 


_ Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Notes 


FSCALE can be used as an inverse to FXTRACT. Since FSCALE does not pop the 
exponent part, however, FSCALE must be followed by FSTP ST(1) in order to com- 
pletely undo the effect of a preceding FXTRACT. 


There is no limit on the range of the scale factor in ST(1). If the value is not integral, 


FSCALE uses the nearest integer smaller in magnitude; i.e., it chops the value toward 0. 
If the resulting integer is zero, the value in ST is not changed. 
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FSIN —Sine 


Operation 


IF operand is in range 
THEN 

C2 < 0; 

ST < sin(ST); 
ELSE 

C2 <— 1; 
Fl: 


Description 


The sine instruction replaces the contents of ST with sin(ST). ST, expressed in radians, 
must lie in the range | 6 | < 2. 


FPU Flags Affected 


C1, C2 as described in Table 15-1; CO, C3 undefined. 
Numeric Exceptions 

P, U, D, I, IS. 

Protected Mode Exceptions 


#tNM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 
#NM if either EM or TS in CRO is set. 
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Notes 


If the operand is outside the acceptable. range, the C2 flag is set, and ST. remains 


- unchanged. It is the programmer’s responsibility to reduce the operand to an absolute 


value smaller than 2° by subtracting an appropriate integer multiple of 27. See 
Section 17.5 for a discussion of the proper value to. use for 7 in performing such 
reductions. | 


The Intel486 CPU periodically checks for interrupts while performing this instruction. Tt 
will be aborted to service an interrupt. | 
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FSINCOS — Sine and Cosine 


Opcode Instruction Clocks Concurrent Execution Description | 
D9 FB FSINCOS 291 (243-329) 2 Compute the sine and cosine of ST; 


replace ST with: the sine, and then ~ 
push the cosine onto the FPU stack. 


Operation 
IF operand is in range 
THEN 
C2 <0; 
TEMP < cos(ST); 
ST < sin(ST); 
Decrement FPU stack-top pointer; 
ST <— TEMP; 
ELSE 
C2 <1; 
Fl: 


Description 


FSINCOS computes both sin(ST) and cos(ST), replaces ST with the sine and then 
pushes the cosine onto the FPU stack. ST, expressed in radians, must lie in the range 
Rea eee | : 7 


FPU Flags Affected 


C1, C2 as described in Table 15-1; CO, C3 undefined. 


Numeric Exceptions 
P, U, D, I, IS. 
Protected Mode Exceptions 


##NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


#NM if either EM or TS in CRO is set. 
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Notes 

If the operand iS outside. the acceptable range, the C2 flag is set, and. ST remains 
unchanged. It is the programmer’ S responsibility to reduce the operand to an absolute 
value smaller than 2°° by subtracting an appropriate integer multiple of 277. See Section 
17.5 for a discussion of the proper value to use for m in performing such reductions. 
It is faster to execute FSINCOS than to execute both FSIN and FCOS. 


The Intel486 CPU periodically checks for interrupts while performing this instruction. It 
will be aborted to service an interrupt. : 
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FSQRT — Square Root 


Operation 


ST <— square root of ST; | 


Description 


The square root instruction replaces the value in ST with its square root. 


FPU Flags Affected 


Cl as described in Table 15-1; CO, C2, C3 undefined. 


Numeric Exceptions 


P, D, I, IS. 


Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Notes 


The square root of —0 is —0. 
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FST/ FSTP— Store Real 


Instruction — | -———- Deseription 


FST m32real | | _ Copy ST-to m32real . 
FST m64real Copy ST to m64real. 
FST ST(i) a — Copy ST to ST(i). 


FSTP m32real Copy ST to m32real and pop ST. 
FSTP m64real Copy ST to m64real and pop ST. 
FSTP m80real Copy ST to m80real and pop ST. 
FSTP ST(i) _ Copy ST to ST(i) and pop ST. | 


Operation 


DEST <— ST(0); 
IF instruction = FSTP THEN pop ST FI; 


Description 


FST copies the current value in the ST register to the destination, which can be another 
register or a single- or double-real memory operand. FSTP copies and then pops ST; it 
accepts extended-real memory operands as well as the types accepted by FST. , 


If the source is a register, the register number used is that before the stack is popped. 


FPU Flags Affected 


Cl as described in Table 15-1; CO, C2, C3 undefined. 


Numeric Exceptions 


Register or extended-real destinations: IS 
Single- or double-real destinations: P, U, O, D, I, IS 


Protected Mode Exceptions 


#GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory 
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 
address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in 
CRO is set; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 
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Virtual 8086 Mode Exceptions 


_ Same exceptions as in Real Address Mode; #PF(fault code) for a ee fault; #AC for 
unaligned memory reference if the current privilgee'| ve is 3. | 


Notes 


If the destination is single- or double-real, the significand is rounded to the width of the 
destination according to the RC field of the control word, and the exponent is converted 
to the width and bias of the destination format. The over/underflow condition is checked 
for as well. 7 


If ST contains zero, +, or a NaN, then the significand is not rounded, but chopped (on 
the right) to fit the destination. Nor is the exponent converted; it too is chopped on the 
right. These operations preserve the value’s identity as © or NaN (exponent all ones). 


The invalid-operation exception is not raised when the destination is a nonempty stack 
element. 
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FSTCW/ FNSTCW — Store Control Word | 


Opcode © Instruction _ oh COCKS: = 7 Description 
9B D9 /7 FSTCW m2byte -  - 3 + at least 3 for’ . ©: Store FPU contro! word to me2byte after checking 
: FWAIT 


| for unmasked floating-point error condition. 
D9 /7 FNSTCW m2byte 3 Store FPU control word to m2byte without 
, each for unmasked floating- paint error 

condition. 


Operation 
DEST < CW; 
Description ~ 


FSTCW and FNSTCW write the current valué of the FPU control word to the pipet’ 
destination. . | atts | re | 


FPU Flags Affected 
CO, C1, C2, C3 undefined. 


Numeric Exceptions 


None. 


Protected | Mode Exceptions 
#GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory 
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 


address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in 
CRO is set; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
Q to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode. Exceptions 


Same exceptions as in Real Address Mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Notes 


FSTCW checks for unmasked floating-point error conditions before storing the control 
word; FNSTCW does not. 
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FSTENV/FNSTENV — Store FPU Environment 


Opcode Instruction Clocks Description 


9B D9 /6 FSTENV m14/28byte _ 67 real or virtual/56 ~ Store FPU environment to m14byte or m28byte 
: protected; + at least 3 after checking for unmasked floating-point error 
for FWAIT condition. Then mask all floating-point 

exceptions. 

D9 /6 hoe m14/ 67 real or virtual/56 Store FPU environment to m7/4byte or m28byte 

8byte protected; without checking for unmasked floating-point 
ag error condition. Then mask all floating-point 

exceptions. 


Operation 


DEST <— FPU environment: 
CW[O0..5] <— 111111B: 


Description 


The store environment instructions write the current FPU environment to the specified 
destination, and then mask all floating-point exceptions. The FPU environment consists 
of the FPU control word, status word, tag word, and error pointer (both data and 
instruction). | 


The environment layout in memory depends on both the operand size and the current 
operating mode of the processor. The USE attribute of the current code segment deter- 
mines the operand size: the 14-byte operand applies to a USE16 segment, and the 
28-byte operand applies to a USE32 segment. Figures 15-5 through 15-8 show the envi- 
ronment layouts for both operand sizes in both real mode and protected mode. (In 
virtual-8086 mode, the real mode layout is used.) 


FPU Flags Affected 


C0, C1, C2, C3 undefined. 


Numeric Exceptions 


None. 


Protected Mode Exceptions 


#GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory 
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 
address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in 
CRO is set; #AC for unaligned memory reference if the current privilege level is 3. 
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Real Address Mode Exceptions. 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OEREPES pcre 7 if either ae or TS in CRO is set. | 7 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; gore code) fe for a page fault #AC for 
unaligned memory reference if the current privilege level is 3. ; | 


Notes 


FSTENV and FNSTENV do not store the environment until all FPU activity is com- 
plete. Thus, the saved environment reflects the state of the FPU after any previously 
decoded instruction has been executed. 


The store environment instructions are often used by exception handlers because. they 
provide access to the FPU error pointers. The environment is typically saved onto the 
memory stack. After saving the environment, FSTENV and FNSTENV sets all the 
exception masks in the FPU control word. This > prevents floating- point errors from inter- 
PUpEnE, the exception handler. 


FSTENV checks for iinmmaeked fia seit error conditions before storing the FPU 
environment; FNSTENV does not. 
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FSTSW/FNSTSW —Store Status Word 


Opcode Instruction Clocks Description 


9B DD /7 FSTSW md2byte 3 + at least 3 for Store FPU status word to mbyte after checking 
FWAIT for unmasked floating-point error condition. 


9B DF EO FSTSW 3 ee least 3 for Store FPU status word to AX register after 
F 


IT checking for unmasked floating-point error 
condition. 
DD /7 FNSTSW m2byte Store FPU status word to m2byte without check- © 
ing for unmasked floating-point error condition. 
DF EO FNSTSW AX Store FPU status word to AX register without 
checking for unmasked floating-point error 
condition. 


Operation 


DEST < SW; 


Description 


FSTSW and FNSTSW write the current value of the FPU status word to the specified 
destination, which can be either a two-byte location in memory or the AX register. 


FPU Flags Affected 


CO, C1, C2, C3 undefined. 


Numeric Exceptions 


None. 


Protected Mode Exceptions 
#GP(0) if the destination is in a nonwritable segment; #GP(0) for an illegal memory 
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 


_ address in the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in 
CRO is set; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. | 
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Notes 

FSTSW checks for unmasked floating-point error conditions before storing the status 
word; ee does not. Hee. ti oe | tas ae 
FSTSW ane ENSTSW : are Cae primarily j in: cancion branching (after a comparison, | 
FPREM, FPREM1, or FXAM. instruction). They can also be used to invoke exception 
handlers (by polling the exception bits) in environments that do not use interrupts. — 
When FNSTSW AX is executed, the AX register is updated before the Intel486 proces- 


sor executes any further instructions. The status stored is that from the completion of 
the prior ESC instruction. 
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FSUB/FSUBP/FISUB — Subtract 


‘Instruction — Clocks Concurrent Execution Description 


FSUB m32real 10 (8-20) 7 (5-17) Subtract m32real from ST. 

FSUB m64real 10 (8-20) 7 (5-17) Subtract m64real from ST. 

FSUB ST, ST(i) 10 (8-20) 7 (5-17) Subtract ST(i) from ST—STO. 

FSUB ST(i), ST 10 (8-20) 7 (5-17) Replace ST(i) with ST —ST(i). 

FSUBP ST(i), ST 10 (8-20) 7 (5-17) Replace ST(i) with ST —ST(i); pop ST. 
FSUBP 10 (8-20) 7 (5-17) Replace ST(1) with ST —ST(1); pop ST. 
FISUB m32int 22.5 (19-32) 7 (5-17) Subtract m32int from ST. 

FISUBm16int 24 (20-35) 7 (5-17) Subtract m16int from ST. 


Operation 


DEST < ST — Other Operand; 
IF instruction = FSUBP THEN pop ST FI; 


Description 


The subtraction instructions subtract the other operand from the stack top and return 
the difference to the destination. 


FPU Flags Affected 


C1 as described in Table 15-1; CO, C2, C3 undefined. 


Numeric Exceptions 


P, U, O, D, I, IS. 


Protected Mode Exceptions 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 


fault; #NM if either EM or TS in CRO is set; #AC for unaligned memory reference if 
the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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Notes 


If the source operand is in memory, it is automatically converted to the extended-real 
format. | | | | | 
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FSUBR/FSUBPR/FISUBR — Reverse Subtract 


~ Instruction Clocks Concurrent Execution Description 
FSUBR m32real 10 (8-20) 7 (5-17) Replace ST with m32real — ST. 


FSUBR m64real 10 (8-20) 7 (5-17) _ Replace ST with m64real — ST. 
FSUBR ST, ST(i) 10 (8-20) 7 (5-17) Replace ST with ST(i) — ST. 


FSUBR ST(i), ST 10 (8-20) 7 (5-17) Subtract ST from ST(i)>ST(i). 
FSUBRP ST(i), ST 10 (8-20) 7 (5-17) Subtract ST from ST(i) and pop ST. 
FSUBR 10 (8-20) 7 (5-17) Subtract ST from ST(1) and pop ST. 
FISUBR m32int 22.5 (19-32) . 7 (5-17) Replace ST with m32int — ST. 
FISUBR m16int 24 (20-35) 7 (5-17) Replace ST with m76int — ST. 


Operation 


DEST < Other Operand — ST; 
IF instruction = FSUBRP THEN pop ST FI; 


Description 


The reverse subtraction instructions subtract the stack top from the other operand and 
return the difference to the destination. 


FPU Flags Affected 


C1 as described in Table 15-1; C0, C2, C3 undefined. 


Numeric Exceptions 


P, U, O, D, I, IS. 


Protected Mode Exceptions 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 


fault; #NM if either EM or TS in CRO is set; #AC for unaligned memory reference if 
the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside the effective address space from 
0 to OFFFFH; Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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Notes 


If the source operand is in memory, it is automatically converted to the extended-real 
format. | | | 
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FTST—TEST 


Operation 


CASE (relation of operands) OF 
Not comparable: C3, C2, CO < 111; 


ST > SRC: C3, C2, CO <— 000; 
ST < SRC: C3, C2, CO — 001; 
ST = SRC: C3, C2, CO < 100; 


Description 


The test instruction compares the stack top to 0.0. Following the instruction, the condi- 
tion codes reflect the result of the comparison. 


FPU Flags Affected 


C1 as described in Table 15-1; CO, C2, C3 as specified above. 


Numeric Exceptions 
D, I, IS. | 
Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


#:NM if either EM or TS in CRO is set. 
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Notes 


If ST contains a NaN or an object of undefined format, or if a stack fault occurs, the 
invalid-operation exception is raised, and the condition bits are set to “unordered.” 


The sign of zero is ignored, so that —0.0=-+0.0. 


26-142 


intel. , INSTRUCTION SET 


FUCOM/FUCOMP/FUCOMPP — Unordered Compare Real 


Instruction Concurrent Execution Description 


FUCOM ST(i) Compare ST with ST(i). 
FUCOM Compare ST with ST(1). 


FUCOMP 
FUCOMPP 


Compare ST with ST(1) and pop ST... 
Compare ST with ST(1) and pop ST twice. 


1 
| 
FUCOMP ST(i) 1 Compare ST with ST(i) and pop ST. 
1 
1 


Operation 


CASE (relation of operands) OF — 
Not comparable: C3, C2, CO < 111; 


_ ST > SRC: C3, C2, CO — 000; 
ST < SRC: C3, C2, CO < 001; 
ST = SRC: C3, C2, CO < 100; 


IF instruction = FUCOMP THEN pop ST; FI; | 
_IF instruction = FUCOMPP THEN pop ST; pop ST; Fi; 


Description 


The unordered compare real instructions compare the stack top to the source, which 
must be a register. If no operand is encoded, ST is compared to ST(1). Following the 
instruction, the condition codes reflect the relation between ST and the source operand. 


FPU Flags Affected 


C1 as described in Table 15-1; CO, C2, C3 as specified above. 


Numeric Exceptions 
D, I, IS. 
Protected Mode Exceptions 
#NM if either EM or TS in CRO is set. 
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Real Address Mode Exceptions 

ieee 7a either EM or TS in CRO is set. 
Virtual 8086 Mode Exceptions 

#NM if cither EM or TS in CRO is set 

Notes 


If either operand is an SNaN or is in an undefined format, or if a stack fault occurs, the 
invalid-operation exception is raised, and the condition bits are set to “unordered.” __ 


If either operand is a QNaN, the condition bits are set to “unordered.” Unlike the 
ordinary compare instructions (FCOM, etc.), the unordered compare instructions do not 
raise the invalid-operation exception on account of a QNaN operand. | 


The sign of zero is ignored, so that —0.0=— +0.0. | 
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Description 


FWAIT causes the processor to check for pending unmasked numeric exceptions before 
proceding. 


FPU Flags Affected 
CO, C1, C2, C3 undefined. 


Numeric Exceptions 


None. 


Protected Mode Exceptions 


_#NM if both MP and TS in CRO are set. 


Real Address Mode Exceptions 


Interrupt 7 if both MP and TS in CRO are set. 


Virtual 8086 Mode Exceptions 


#NM if both MP and TS in CRO are set. 


Notes 


As its opcode shows, FWAIT is not actually an ESC instruction, but an alternate mne- 
monic for WAIT. 


Coding FWAIT after an ESC instruction ensures that any unmasked floating-point 
exceptions the instruction may cause are handled before the processor has a chance to 
modify the instruction’s results. 


Information about when to use FWAIT is given in Chapter 18, in the section on “Con- 
current Processing.”’ 
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FXAM — Examine 


Operation 
C1 < sign bit of ST: (* 0 for positive, 1 for negative *) — 


CASE (type of object in ST) OF 
Unsupported: C3, C2, CO < 000; 


NaN: C3, C2, CO < 001; 
Normal: C3, C2, CO < 010; 
Infinity: C3, C2, CO < 011; 
Zero: C3, C2, CO < 100; 
Empty: C3, C2, CO — 101; 
Denormal: C3, C2, CO < 110; 


Description 


The examine instruction reports the type of ore contained i in me ST register by setting 
_ the FPU Flags. Ka , 


FPU Flags Affected 


CO, C1, C2, C3 as shown above... 
Numeric Exceptions | 

Noiie: | 

Protected Mode Exceptions 7 

#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 
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Virtual 8086 Mode Exceptions 


#NM if either EM or TS in CRO is set. 
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FXCH — Exchange Register Contents 


Opcode instruction Clocks - Description 


D9 C8+i FXCH ST(i) 4 Exchange thecontents of ST and ST(i). 
D9 C9 FXCH 4 -_ Exchange the contents of ST and ST(1). . 


Operation 


‘TEMP < ST: 
ST < DEST; 
DEST <— TEMP: 


Description 


FXCH swaps the contents of the destination and stack-top registers. If the destination is 
not coded explicitly, ST(1) is used. | 


FPU Flags Affected 


C1 as described in Table 15-1; C0, C2, C3 undefined. 


Numeric Exceptions 


IS. 


Protected Mode Exceptions 


NM if Sithés EM or TS in CRO is set. 


Real Address Mode Exceptions 


‘Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


#NM if either EM or TS in CRO is set. 
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Notes 


Many numeric instructions operate only on the stack top; FXCH provides a simple 
means for using these instructions on lower stack elements. For example, the following 
sequence takes the square root of the third register form the top (assuming that ST is | 
nonempty): | : 


FXCH ST(3) 


FSQRT 
FXCH ST(3) 
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FXTRACT — Extract Exponent and Significand 


Opcode _ Instruction © Clocks Concurrent Execution Description | 
D9F4 = FXTRACT)~=—Ss«19.(16-20) 4. (2-4) _._. Separate ST into its exponent and signifi-_ 


cand; replace ST with the exponent and 
nev puen the significand onto the FPU 
stack. 


Operation 


TEMP < significand of ST; 

ST < exponent of ST; 

Decrement FPU stack-top pointer; 
ST <— TEMP; 


Description 


FXTRACT splits the value in ST into its exponent and significand. The exponent 
replaces the original operand on the stack and the significand is pushed onto the stack. 
Following execution of FXTRACT, ST (the new stack top) contains the value of the 
Original significand expressed as a real number: its sign is the same as the operand’s, its 
exponent is 0 true (16,383 or 3FFFH biased), and its significand is identical to the 
original operand’s. ST(1) contains the value of the original operand’s true (unbiased) 
exponent expressed as a real number. 


To illustrate the operation of FXTRACT, assume that ST contains a number whose true 
exponent is +4 (i.e., its exponent field contains 4003H). After executing FXTRACT, 
ST(1) will contain the real number +4.0; its sign will be positive, its exponent field will 
contain 4001H (+2 true) and its significand field will contain 1,00...00B. In other words, 
the value in ST(1) will be 1.0 x 2? = 4. If ST contains an operand whose true exponent 
is —7 (i.e., its exponent field contains 3FF8H), then FXTRACT will return an “expo- 
nent” of —7.0; after the instruction executes, ST(1)’s sign and exponent fields will con- 
tain C001H (negative sign, true exponent of 2), and its significand will be 1,1100...00B. 
In other words, the value in ST(1) will be —1.75 x 2*=—7.0. In both cases, following 
FXTRACT, ST’s sign and significand fields will be the same as the original operand’s, 
and its exponent field will contain 3FFFH (0 true). 


FPU Flags Affected 


C1 as described in Table 15-1; C0, C2, C3 undefined. 


Numeric Exceptions 
Z, D, I, IS. 
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Protected Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 
#NM if either EM or TS in CRO is set. 


Notes 


FXTRACT (extract exponent and iekineend) performs a niente of the TEEE- 
recommended logb(x) function. 


If the original operand is zero, FXTRACT leaves —o in ST(1) (the exponent) while ST 
is assigned the value zero with a sign equal to that of the original operand. The zero- 
divide exception is raised in this case, as well. | i 


ST(7) must be empty to avoid the invalid-operation exception. 


FXTRACT is useful for power and range scaling operations. Both FXTRACT and the 
base 2 exponential instruction F2XM1 are needed to perform a general power opera- 
tion. Converting numbers in extended-real format to decimal representations (e.g., for 
printing or displaying) requires not only FBSTP but also FXTRACT to allow scaling that 
does not overflow the range of the extended format. FXTRACT can also be useful for 
debugging, because it allows the exponent and significand parts of a real number to be 
examined separately. 
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FYL2x— Compute y x log.x 


Operation 


ST(1) < ST(1) x log.ST; 
pop ST; 


Description 
FYL2X computes the base-2 logarithm of ST, multiplies the logarithm by ST(1), and 


returns the resulting value to ST(1). It then pops ST. The. ape in ST cannot ae 
negative. AMS mes 


FPU Flags Affected 


C1 as described in Table 15-1; CO, C2, C3 undefined. 


Numeric Exceptions _ 


P, U, OZ, D, 1, IS. 


Protected Mode Exceptions 


#NM if either EM or TS j in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions 


#NM if either EM or TS in CRO is set. 


Notes 
If the operand in ST is negative, the invalid-operation exception is raised. 


The FYL2xX instruction is designed with a built-in multiplication to optimize the calcu- 
lation of logarithms with arbitrary positive base: 


log,x = (logsb)~' x logsx 
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The instructions FLDL2T and FLDL2E load the constants log,10. and log,e, 
respectively. | 


The Intel486 CPU periodically checks interrupts while executing this instruction. It will 
be aborted to service an interrupt. 
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FYL2XP1—Compute y x log;(x +1) 


Opcode Instruction Clocks Concurrent Execution Description 


D9FQ --FYL2XP1. «= 313. (171-326) 13 = = ~~“ Replace ST(1) with ST(1) x loga(ST +1.0) 
and pop ST. 


Operation © 


ST(1) — ST(1) x log.(ST + 1.0): 
pop ST; 


Description 


FYL2XP1 computes the base-2 logarithm of (ST+ 1.0), multiplies the logarithm by 
ST(1), and returns the ones value to ST(1). It then pops ST. The operand in ST 
must be in the range. 


—(1-(\/2/2)) < STs V2 -1 


FPU Flags Affected 


C1 as described in Table 15-1; CO, C2, C3 undefined. 
Numeric Exceptions 

| P, U, D, I, IS. 

Protected Mode Exceptions 


#:NM if either EM or TS in CRO is set. 


Real Address Mode Exceptions 


Interrupt 7 if either EM or TS in CRO is set. 


Virtual 8086 Mode Exceptions — 


#NM if either EM or TS in CRO is set. | 


Notes 


If the operand in ST is outside the acceptable range, the result of FYL2XP1 is 
— undefined: 
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The FYL2XP1 instruction provides improved accuracy over FYL2X when computing the 
logarithms of numbers very close to 1. When e is small, more significant digits can be 
retained by providing e as an argument to FYL2XP1 than by providing 1+¢« as an argu- 
ment to FYL2X. | 


The Intel486 CPU periodically checks for interrupts while executing this instruction. It 
will be aborted to service an interrupt. 
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HLT — Halt 


Operation 

Enter Halt state; 

Description 

The HLT instruction stops instruction execution and places the processor in a HALT 
state. An enabled interrupt, NMI, or a reset will resume execution. If an interrupt 


(including NMI) is used to resume execution after a HLT instruction, the saved CS:IP 
(or CS:EIP) value points to the instruction following the HLT instruction. 


Flags Affected 


None. — 


Protected Mode Exceptions 


The HLT instruction is a privileged instruction; #GP(0) if the current privilege level is 
not 0. : 


Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


#GP(0); the HLT instruction is a privileged instruction. 
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IDIV — Signed Divide 


Instruction - Clocks Description 


IDIV r/m8 19/20 Signed divide AX (where AH must contain sign- 
extension of AL) by r/m byte. (Results: AL= Quo, 
AH = Rem) 

IDIV AX,r/m16 27/28 Signed divide DX:AX (where DX must contain sign- 
extension of AX) by r/m word. (Results: AX = Quo, 
DX = Rem) 


IDIV EAX,r/m32 43/44 Signed divide EDX:EAX (where EDX must contain 
sign-extension of EAX) by r/m dword. EAteeue: 
EAX = Quo, EDX = Rem) a 


Operation 


temp < dividend / divisor; 
IF temp does not fit in quotient 
THEN Interrupt 0; 
ELSE | 

quotient < temp; 

remainder < dividend MOD (r/m); 
Fl; 


Notes: Divisions are signed. The dividend must be sign-extended. The divisor is given by 
the r/m operand. The dividend, quotient, and remainder use implicit registers. Refer to 
the table under “Description.” 


Description 


The IDIV instruction performs a signed division. The dividend, quotient, and remainder 
are implicitly allocated to fixed registers. Only the divisor is given as an explicit r/m 
operand. The type of the divisor determines which registers to use as follows: 


—avatent[_Remainsor [ovina 


AL AH 
AX DX 
EDX 


Divisor 


If the resulting quotient is too large to fit in the destination, or if the divisor is 0, an 
Interrupt 0 is generated. Nonintegral quotients are truncated toward 0. The remainder 
has the same sign as the dividend and the absolute value of the remainder 1 is always less 
than the absolute value of the divisor. 


Flags Affected — 
The OF, SF, ZF, AF, PF, CF flags are undefined. 
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Protected Mode Exceptions 


Interrupt 0 if the quotient is too large to fit in the designated register (AL or AX), or if 
the divisor is 0; #GP (0) for an illegal memory operand effective address in the CS, DS, 
_ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault- 
code) for a page raul, #AC for unaligned memory reference if the current privilege 
level is 3. | 


Real Address Mode Exceptions: 
raternuet 0 if the quotient is too large to fit in the aetonnied register (AL « or + AX), ¢ or if 


the divisor is 0; Interrupt 13 if any part of the operand would lie outside of the effective 
address space from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault- code) for a ae fault; #AC for 
unaligned memory reference if the current privilege level is 3. 7 
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Opcode 
F6 /5 
F7 /5 
F7 /5 
OF AF /r 
OF AF /r 
6B /r ib 


6B /r ib 
6B /r ib 
6B /r ib 
69 /riw 
69 /rid 


69 /riw 
69 /rid 


Instruction 


IMUL r/m8 

IMUL r/m16 

IMUL r/m32 

IMUL r16,r/m16 

IMUL r32,r/m32 

IMUL r16,r/m16,imm8 


-IMUL 132,r/m32,imm8 


IMUL r16,imm8 
IMUL r32,imm8 


IMUL r16,r/ 
m16,imm16 


“IMUL r32,r/ 


m32,imm32 
IMUL r716,imm16 
IMUL r32,imm32 
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~ Clocks 


13-18/13-18 
13-26/13-26 
12-42/13-42 
13-26/13-26 
13-42/13-42 


13-26/13-26 


13-42/13-42 
13-26 
13-42 
13-26/13-26 
13-42/13-42 


13-26/13-26 
13-42/13-42 


Description 


- AX AL * r/mbyte | 


DX:AX <— AX * r/m word 

EDX:EAX <— EAX * r/m dword 

word register < word register * r/m word. 

dword register — dword register * r/m dword 
word register — r/m16 * sign- -extended immedi- 
ate byte 
dword register <— r/m32 * sign- “extended immer 
ate byte 


‘word register <—.word register * sign- “extended 


immediate byte 

dword register — dword register : sign- soxtenaed 
immediate byte 

word register — r/m16 * immediate word 


dword register <— r/m32 * immediate dword ° 


word register <— r/m16 * immediate word 
dword register <— r/m32 * immediate dword 


NOTES: The Intel486 processor uses an early-out multiply algorithm. The actual number of clocks depends on the posi- 
tion of the most significant bit in the optimizing multiplier. The optimization occurs for positive and negative | 
values. Because of the early-out algorithm, clock counts =rguel are minimum to maximum. To calculate the actual 
clocks, use the following formula:. . Oe 

Actual clock = if m <> 0 then max(ceiling(logs | m|3) + 6 clocks. 
Actual clock = if m = 0 then 9 clocks - 
(where mis the multiplier) 


Add three clocks if the multiplier is a memory operand. 


Operation 


result — multiplicand * multiplier; 


Description 


The IMUL instruction performs signed multiplication. Some forms of the instruction use 
implicit register operands. The operand combinations for all forms of the instruction are 
shown in the “Description” column above. 


The IMUL instruction clears the OF and CF flags under the following conditions (oth- 
erwise the CF and OF flags are set): 


[struction Form Condition for Clearing OF and OF 


r/m8g AL = sign-extend of AL to 16 bits 

r/m16 AX = sign-extend of AX to 32 bits 

r/m32 EDX:EAX = sign-extend of EAX to 32 bits 
r16,r/m16 Result exactly fits within r76 

1/32, r/M32 Result exactly fits within r32 
r16,r/m16,imm16 Result exactly fits within r16 


r32,r/M32,imm32 Result exactly fits within r32 
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Flags Affected 


The OF and CF flags as described in the table in the “Description” section above; the 
SF, ZF, AF, and PF flags are See Scie ae _— ae, 


Protected Mode Exceptions es | 7 _ 
#GP(0) for an illegal memory Porte effective andes in the CS, DS, ES, FS, or GS 


segments; #SS(0) for an illegal address in the SS segment; #PF(fault- -codé) for a page 
fault; #AC for unaligned memory reference if the current privilege level is 3. | 


Real Address Mode Exceptions 


Interrupt 13. if any part of the aa would lie outside of the effective address sie 
from 7 to OFPFFH. hve Sti oon oe 


Virtual 8086 Mode Exceptions. 


Same exeptions as in Real Address Mode: . #PF (fault: code) 1 for a page fault: #AC for 
unaligned memory reference if the current DHyueee: te 1S 33. 


Notes 


~ When using the accumulator forms (IMUL r/m8, IMUL 1/m16, or IMUL 1r/m32), the 
result of the multiplication 1s available even if the overflow flag is set because the result 
is twice the size of the multiplicand and multiplier. This is tee ae to ) handle any 
possible result. 7 te ae oer 
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IN — Input from Port 


Opcode Instruction ~ Clocks Description 


E4 ib IN AL,immé8 14,0m = 8*/ Input byte from immediate port into AL 
28** vm =27 
E5 ib IN AX,imm16 14,pm = 8*/ Input word from immediate port into AX 
28** vm =27 
E5 ib IN EAX,imm32 14,pm = 8*/ Input dword from immediate port into EAX 


28** vm = 27 

EC IN AL,DX 14,0m = 8*/ Input byte from port DX into AL 
28** vm =27 

ED IN AX,DX 14,pm = 8*/ Input word from port DX into AX 
28** vm =27 

ED IN EAX,DX 14,pm = 8*/ Input dword from port DX into EAX 
28** vm =27 


NOTES: *If CPL <:le IOPL 
**If CPL = |OPL 


Operation 


IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL)) 

THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *) 
IF NOT I-O-Permission (SRC, width(SRC)) 
THEN #GP(0); 
Fl; 

Fl; 

DEST < [SRC]; (* Reads from I/O address space *) 


Description 


The IN instruction transfers a data byte or data word from the port numbered by the 
second operand into the register (AL, AX, or EAX) specified by the first operand. 
. Access any port from 0 to 65535 by placing the port number in the DX register and using 
an IN instruction with the DX register as the second parameter. These I/O instructions 
can be shortened by using an 8-bit port I/O in the instruction. The upper eight bits of the 
port address will be 0 when 8-bit port I/O is used. 


Flags Affected 


None. 


Protected Mode Exceptions 


#GP(0) if the current privilege level is larger (has less privilege) than the I/O privilege 
level and any of the corresponding I/O permission bits in TSS equals 1. 


Real Address Mode Exceptions 
~ None. 
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Virtual 8086 Mode Exceptions 


#GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1. | 
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INC — Increment by 1 


Opcode Instruction Clocks Description 


FE /O INC r/mé J 48 Increment r/m byte by 1 
FF /O INC r/m16 1/3 Increment r/m word by 1 
FF /O INC r/m32 1/3 ~ Increment r/m dword by 1 


40+ rw INC r16 1 ; Increment word register by 1 
40+ rd INC r32 10 Increment dword register by 1 


Operation 
DEST < DEST + 1; 
Description 


The INC instruction adds 1 to the operand. It does not change the CF flag. To affect the 
CF flag, use the ADD instruction with a second operand of 1. 


Flags Affected 


The OF, SF, ZF, AF, and PF flags are set according to the result. 


Protected Mode Exceptions 
#GP(0) if the operand is in a nonwritable segment; #GP(0) for an illegal memory 
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 


address in the SS segment; #PF(fault- code) for a page fault; #AC for UnBuEnces mem- 
ory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. | 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3 
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INS m8,DX. © -- 
INS m16,DX. 


INS m32,DX. 
Bote YM = 80 


~ INSB “A7pm=10*/ 


INSW 
INSD 


INSTRUCTION SET 


17,pm = 10*/ 
32** VM=30 


| 17,pm= 10*/ 
32**,VM = 30 


17,pm = 10*/ 


30** VM = 30 
17,pm = 10*/ 
32** VM =30 
17,pm = 10*/ 


INS/INSB/INSW/INSD— input from Port t to String © 


- Clocks 


Description mas . 
Input byte from port DX into ES:(E)DI 


Input word from port DX into ES;(E)DI 
Input dword from port DX into ES:(E)DI . 


Input byte from port DX into ES:(E)DI 


Input word from port DX into ES:(E)DI 
Input dword from port DX into ES:(E)DI 


32**, VM=30 


NOTES: *If CPL < IOPL 
**lf CPL > IOPL 


Operation. — 


IF AddressSize = 16 

THEN use DI for dest-index; 

ELSE (* AddressSize = 32 *) 
use EDI for dest-index; 

Fl; 

IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL)) 

THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL 2 
IF NOT |-O- Permission pale eee 
‘THEN per ys Ee sets 
Ely ) : 

IF Brae ies of i aeiruction 

THEN | 
ES:[dest-index] < [DX]; (* Reads byte at DX from I/O address space *) 
IF DF = 0 THEN IncDec <- 1 ELSE meree <— —1; FI; 

Flt , 

IF OperandSize = = 16 

THEN 
ES:[dest-index] < [DX]; (* Reads word at DX from I/O address spate *). 
IF DF = O THEN IncDec < 2 ELSE IncDec < —2; Fl; | 

Fl; 

IF OperandSize ='32 

THEN 
ES:[dest-index] <- [DX]; (* Reads dword at DX from I/O address Space *) 
IF DF = 0 THEN IncDec < 4 ELSE IncDec < —4; FI; 

Fi; 

dest-index < dest-index + IncDec; 


Description 


The INS instruction transfers data from the input port numbered by the DX register to 
the memory byte or word at ES:dest-index. The memory operand must be addressable 
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from the ES register; no segment override is possible. The destination register is the DI 
register if the address-size attribute of the instruction is 16 bits, or the EDI register if the 
address-size attribute is 32 bits. 


The INS instruction does not allow the specification of the port number as an immediate 
value. The port must be addressed through the DX register value. Load the correct value 
into the DX register before executing the INS instruction. 


The destination address is determined by the contents of the destination index register. 
Load the correct index into the destination index register before executing the INS 
instruction. 


After the transfer is made, the DI or EDI register advances automatically. If the DF flag 
is 0 (a CLD instruction was executed), the DI or EDI register increments; if the DF flag 
is 1 (an STD instruction was executed), the DI or EDI register decrements. The DI 
register increments or decrements by 1 if a byte is input, by 2 if a word i is input, or by 4 
if a doubleword is input. 


The INSB, INSW and INSD instructions are synonyms of the byte, word, and double- 


word INS instructions. The INS instruction can be preceded by the REP prefix for block 
input of CX bytes or words. Refer to the REP instruction for details of this operation. 


Flags Affected 


None. 


Protected Mode Exceptions 


#GP(0) if the current privilege level is numerically greater than the I/O privilege level 
and any of the corresponding I/O permission bits in TSS equals 1; #GP(0) if the desti- 
nation is in a nonwritable segment; #GP(0) for an illegal memory operand effective 
address in the ES, segment; #PF(fault-code) for a page fault; #AC for unaligned mem- 
ory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 
#GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1; #PF(fault- 


code) for a page fault; #AC for unaligned memory reference if the current privilege 
level is 3. 
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INT/INTO — -Call to Interrupt Procedure ie a 


instruction Sicces Description — 


INT 3 26 Interrupt 3—trap to debugger 

© Nee Bas 44... '.. Interrupt 3— Protected Mode, same privilege 
INT 3 . 71 . | Interrupt 3—Protected Mode, more privilege . 
INT3 ~~ 82 _ ‘Interrupt 3—from V86 mode to PLO _ 
INT 3 S7tisk: « °™ Interrupt 3— Protected Mode, via task gate . 
INT immé 30 Interrupt numbered by immediate byte 
INT imm& «44 . Interrupt— Protected Mode, same privilege __ 

~ INT immé © Tie a Sees -- Interrupt—Protected Mode, more privilege’ 

. INT immé BB. a: 8s _. -) Interrupt—from:V86 mode to PLO . | 
INT immé 37+TS Interrupt— Protected Mode, via task gate 
INTO Pass: 28, Fail: 3 Interrupt 4—if overflow flag is 1 . 
INTO 46 Interrupt 4—Protected Mode, same privilege 
INTO). » TB ie .-» Interrupt 4— Protected Mode, more privilege 
INTO Se aa 4 84 ». Interrupt 4—from V86 mode to PLO — 

INTO © es 39+TS ar ' Interrupt 4—Protected Mode, via task gate | 


NOTE: Approximate values of ts are given by the following table: 


a i 
Old Task .._—s. ——— ———— 
e __-to Intel486™ CPU TSS _ to 80286 TSS - to VM TSS 


-VM/intelag6 CPU/80286 TSS | = 199° Inkl 


Operation 


NOTE: The following operational description applies not only to the above instructions 
but also to external interrupts and exceptions. 


IF PE = 0 eas | 
THEN GOTO REAL-ADDRESS- MODE; 
ELSE GOTO PROTECTED- MODE; 

FI; 


REAL-ADDRESS-MODE: 
Push (FLAGS); 
IF < QO; (* Clear interrupt flag *) 
TF < 0; Si Clear trap flag a, 
- Push(CS); | : 
Pushi(IP); | 
(* No error codes are miianied =) 
CS < IDT[Interrupt number * 4].selector; 
IP <— ee number - ah offset; 


(*. Start execution in real address mode ) 
PROTECTED-MODE: 
Interrupt vector must be within IDT table limits, 
else #GP(vector number * 8+2+ EXT); 
Descriptor AR byte must indicate interrupt gate, trap gate, or eek gate, 
else #GP(vector number * 8+2-+ EXT); 


26-166 


intel P INSTRUCTION SET 


IF software interrupt (* i.e. caused by INT n, INT 3, or INTO *) 
THEN 
IF gate descriptor DPL < CPL 
THEN #GP(vector number * 8+2+ EXT); 
Fl; 
Fl: 
Gate must be present, else #NP(vector number *8+2+EXT); 
IF trap gate OR interrupt gate 
THEN GOTO TRAP-GATE-OR-INTERRUPT-GATE; 
ELSE GOTO TASK-GATE; 
Fl: 


TRAP-GATE-OR-INTERRUPT-GATE: 
Examine CS selector and descriptor given in the gate descriptor: 
Selector must be non-null, else #GP (EXT); 
Selector must be within its descriptor table limits 
ELSE #GP(selector + EXT); 
Descriptor AR byte must indicate code segment 
ELSE #GP(selector + EXT); 
Segment must be present, else #NP(selector + EXT): 


IF code segment is non-conforming AND DPL < CPL 
THEN GOTO INTERRUPT-TO-INNER-PRIVILEGE; 
ELSE | 
IF code segment is conforming OR code segment DPL = CPL 
THEN GOTO INTERRUPT-TO-SAME-PRIVILEGE-LEVEL; 
ELSE #GP(CS selector + EXT); | 
FI; 
FI; 


INTERRUPT-TO-INNER-PRIVILEGE: 
Check selector and descriptor for new stack in current TSS; 
Selector must be non-null, else #TS(EXT); 
Selector index must be within its descriptor table limits 
ELSE #TS(SS selector + EXT); 
Selector’s RPL must equal DPL of code segment, else #TS(SS 
selector + EXT); | 
Stack segment DPL must equal DPL of code segment, else #TS(SS 
selector+EXT); | 
Descriptor must indicate writable data segment, else #TS(SS 
selector + EXT); 
Segment must be present, else #SS(SS selector + EXT); 
IF 32-bit gate 
THEN New stack must have room for 20 bytes else #SS(0) 
ELSE New stack must have room for 10 eyes else #SS(0) . 
Fl; 
Instruction pointer must be within CS segment Boundaries else #GP(0 ); 
lf VM=1 in EFLAGS 
Then Goto INTERRUPT from V-86-MODE: 
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Load new SS and eSP value from TSS; 

IF 32-bit gate 

THEN CS:EIP < selector:offset from gate; 

ELSE CS:IP < selector:offset from gate; 

Fl: 
‘ Load CS descriptor into invisible portion of CS register; 

Load SS descriptor into invisible portion of SS register; 

IF 32-bit gate 

THEN SO | 
Push (long pointer to old stack) (* 3 words padded to 4 *); 
Push (EFLAGS); 
Push (long Eomiet to return location) (* 3 words padded to 4%); 
ELSE | 

Push (long pointer to old stack) (* 2 words *); 

Push (FLAGS); _ | 

Push (long pointer to return location) (* 2 words *); 
Fl; 
Set CPL to new code segment DPL; 
Set RPL of CS to CPL; | | 
IF interrupt gate THEN IF < 0 (* interrupt flag to 0 (disabled) *); FI; 
TF <— 0; 
NT < 0; 


INTERRUPT-FROM-V86-MODE: 
TempEFlags < EFLAGS; 
VM <— 0; © 
TF < 0; 
IF service through Interrupt Gate THEN IF < 0; 
TempsSs < SS; 
TempESP < ESP; 
SS <— TSS.SSO0; (* Change to level 0 stack segment *) 
ESP <— TSS.ESPO; (* Change to level 0 stack peintge 7 
Push(GS); (* padded to two words *) ae 


Push(FS); (* padded to two words *) 

Push(DS); (* padded to two words *) - 

Push(ES); (* padded to two words *) 

GS ;ID 0; oe . 
FS <0; 

DS < 0; 

ES < 0; | : 

Push(TempSS); (* padded to two words *) 

Push(TempESP); 

Push(TempEFlags); 

Push(CS); (* padded to two words 2 

Push(EIP); 


CS:EIP < selector:offset from interrupt eee, 7 
(* Starts execution of new routine in Protected Mode *) 


INTERRUPT-TO- SAME- PRIVILEGE- LEVEL: 
IF 32-bit gate 
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THEN Current stack limits must allow pushing 10 bytes, else #SS(0); 
ELSE Current stack limits must allow pushing 6 bytes, else #S838(0); 
Fl; 
IF interrupt was caused by exception with error code 
THEN Stack limits must allow push of two more Byles: 
ELSE #SS(0); : 
Fl; 
Instruction pointer must be in CS limit, else #GP(0); 
IF 32-bit gate : 
THEN : 
Push (EFLAGS); 
Push (long pointer to return location); (* 3 words padded to 4 *) 
CS:EIP < selector:offset from gate; 
ELSE (* 16-bit gate *) 
Push (FLAGS); 
Push (long pointer to return location); (* 2 words *) 
CS:IP <— selector:offset from gate; 
FI; 
Load CS descriptor into invisible portion of CS register; 
Set the RPL field of CS to CPL; 
Push (error code); (* if any *) 
IF interrupt gate THEN IF < 0; Fl; 
TF < 0; 
NT <— 0; 


TASK-GATE: 
Examine selector to TSS, given in task gate descriptor; 
Must specify global in the local/global bit, else #TS(TSS. selector); | 
Index must be within GDT limits, else #TS(TSS selector); 
AR byte must specify available TSS (bottom bits 00001), 
else #TS(TSS selector); | 
TSS must be present, else #NP(TSS selector); 
SWITCH-TASKS with nesting to TSS; 
IF interrupt was caused by fault with error code 
THEN 
Stack limits must allow push of two more bytes, else #SS(0); 
Push error code onto stack; 
Fl; 7 
Instruction pointer must be in CS limit, else #GP(0); 


Description 


_ The INT n instruction generates via software a call to an interrupt handler. The imme- 
diate operand, from 0 to 255, gives the index number into the Interrupt Descriptor Table 
(IDT) of the interrupt routine to be called. In Protected Mode, the IDT consists of an 
array of eight-byte descriptors; the descriptor for the interrupt invoked must indicate an 
interrupt, trap, or task gate. In Real Address Mode, the IDT is an array of four byte- 
long pointers. In Protected and Real Address Modes, the base linear address of the IDT 
is defined by the contents of the IDTR. 
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The INTO conditional software instruction is identical to the INT n interrupt instruction 
except that the interrupt number is implicitly 4, and the interrupt is made only if the 
Intel486 processor overflow flag is set. 


The first 32 interrupts are reserved by Intel for system use. Some of Hess pie pe are 
used for internally generated exceptions. . 


The INT n instruction generally behaves like a far call except that the flags register is 
_pushed onto the stack before the return address. Interrupt procedures return via the 
IRET instruction, which pops the flags and return address from the stack. , 

In Real Address Mode, the INT rn instruction pushes the flags, the CS ceuiters and the 


return IP onto the stack, in that order, then jumps to the long pointer indexed by the 
interrupt number. 


Flags Affected 


None. 


Protected Mode Exceptions 


#GP, #NP, #SS, and #TS as indicated under “Operation” abaves. 


Real Address Mode Exceptions 


None; if the SP or ESP register is 1, 3, or 5 before executing the INT or INTO instruc- 
tion, the Intel486 processor will shut down due to insufficient stack space. 


Virtual 8086 Mode Exceptions 
#GP(0) fault if IOPL is less than 3, for the INT n instruction only, to permit emulation; 


Interrupt 3 (OCCH) generates a breakpoint exception; the INTO instruction pencrates 
an overflow exception if the OF flag is set. 
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-INVD —Invalidate Cache. 


Opcode Instruction ~ Clocks Description 
OF 08 INVD | 4 Invalidate Entire Cache 
Operation 


FLUSH INTERNAL CACHE 
_ SIGNAL EXTERNAL CACHE TO FLUSH 


peor pel: 
The internal eactie iS Aushed: aia a specie tancton bus cycle is fcued which indicates 


that external caches should also be flushed. Data held in write-back external caches is 
discarded. 


Flags Affected 


None. 


Protected Mode Exceptions 


The INVD instruction is a privileged instruction; 1; #GP(0) if the current eles level is 


~~ not 0. 


Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


#GP(0); the INVD instruction is a privileged instruction. 


Notes 


This instruction is implementation-dependent; its function may be implemented differ- 
ently on future Intel processors. 


It is the responsibility of hardware to respond to the external cache flush indication. 
This instruction is not supported on Intel386 processors. See Section 3.11 for detecting 
an Intel486 processor at runtime. See WBINVD description to write back dirty data to 


memory. 


See Section 12.2 on disabling the cache. 
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INVLPG — Invalidate TLB Entry 


Opcode instruction -. Clocks Description 
OF 01/7 INVLPG m- | 12 for hit invalidate TLB Entry 
Operation 


INVALIDATE TLB ENTRY 


Description 
The INVLPG instruction is used to invalidate a single entry in the TLB, the cache used 


for page table entries. If the TLB contains a valid entry which MAD? the. address of the 
memory operand, that TLB entry is marked invalid. | 


Flags Affected 


None 


Protected Mode Exceptions 


The INVLPG instruction is a privileged instruction; #GP(0) if the current privilege level 
is not 0. An invalid-opcode exception is generated when used with a register operand. 


Real Address Mode Exceptions 


None 


Virtual 8086 Mode Exceptions 


An invalid-opcode exception is generated when used with a register operand, #GP(0) 
the INVLPG instruction is a privileged instruction. | 


Notes 


This instruction is not supported on Intel386 processors. See Section 3.11 for eoteeune 
an Intel386 processor at runtime. | 


See Section 12.2 on disabling the cache. 
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IRET/IRETD — Interrupt Return 


Instruction Clocks = Description | 


IRET Interrupt return (far return and pop flags) 
IRET Interrupt return to lesser privilege 
IRET : | ‘ Interrupt return, different task (NT = 1) — 


IRETD | | Interrupt return (far return and pop flags) 
IRETD Interrupt return to lesser privilege — | 
IRETD | 2. ee I, Interrupt return to V86 mode > 

IRETD . . | Interrupt return, different task (NT = 1) 


NOTE: Values of ts are given by the following table: 


| | : _New Task | | 
to Intel486™ CPU TSS to 80286 TSS | to VM TSS 


Old Task 


Operation 


IF PE = 0 
THEN (* Real-address mode *) 
IF OperandSize = 32 (* Instruction 
THEN EIP <— Pop(); 
ELSE (* Instruction = IRET *) 
IP <— Pop(); 
Fl; 
CS < Pop(); | OO 
IF OperandSize = 32 (* Instruction = IRETD *) © 
THEN Pop(); EFLAGS < Pop(); 
ELSE (* Instruction = IRET *) 
FLAGS < Pop(); 


IRETD *) 


Fi; 
ELSE (* Protected mode *) 
IF VM = 1 
THEN #GP(0); 
ELSE 
IF NT = 1 
THEN GOTO TASK-RETURN; 
ELSE 
IF VM = 1 in flags image on stack 
THEN GO TO STACK-RETURN-TO-V86; 
ELSE GOTO STACK-RETURN; 
Fl; 
Fl; 
Fl; 


Fl;:STACK-RETURN-TO-V86: ( feriosiee procedure was in ves mode ") 
IF top 36 bytes of stack not within limits - a 
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THEN #SS(0); 
Fl; 

_" IF instruction pointer not within. code segment limit’ THEN #GP(0); 
Fl; 


EFLAGS <— ss: ESP + 8]: rs Sets VM in interrupted routine *) 
 EIP — Pop(); - 

~ CS <— Pop(); (*.CS behaves as in 8086, due to VM = *) 
throwaway <— Pop(); (* pop away EFLAGS aes redid ep 

~ TempESP < Pop(); —_ 
TempSs < Pop(); 

_ ES <— Pop(); (* pop 2 words; throw away high-order word *) 
DS — Pop(); (* pop 2 words; throw away high-order word *) 
FS <—,Pop(); (* pop 2 words; throw away high-order word *) 

. GS <— Pop(); (* pop 2 words; throw away nigh: -order word *) — 

SS:ESP < Tempss: TempESP; 


(* Resume execution in Virtual 8086 mode *) 
TASK-RETURN: 


Examine Back Link Selector in TSS addressed by the current task 
register: 


Must specify global in the local/global bit, else #TS(new TSS selector); . 


Index must be within GDT limits, else #TS(new TSS selector); 

AR byte must specify TSS, else #TS(new TSS selector): 

New TSS must be busy, else #TS(new TSS selector); 

TSS must be present, else #NP(new TSS selector); 
SWITCH-TASKS without nesting to TSS specified by back link selector; 
Mark the task just abandoned as NOT BUSY; 
Instruction pointer must be within code segment limit ELSE #GP(0);. . 


STACK-RETURN: 
IF OperandSize = 32 
THEN Third word on stack must be within stack limits, else #SS(0); 
ELSE Second word on stack must be within stack limits, else #SS(0); 
FI; 
Return CS selector RPL must be = CPL, else #GP(Return selector); 
IF return selector RPL = CPL 
THEN GOTO RETURN-SAME-LEVEL; 
ELSE GOTO RETURN-OUTER-LEVEL; 
FI; 


RETURN-SAME-LEVEL: 
IF OperandSize = 32 
THEN 
Top 12 bytes on stack must be within limits, else #SS(0); | 
Return CS selector at metals must be non-null, else ae ); 
-ELSE are 
Top 6 bytes on stack must be within limits, ise #S8(0);. 
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Return CS selector (at eSP +2) must be non-null, else TPA, 
Fl; 
Selector index must be within its descriptor tabie limits, else #GP 
(Return selector); 
AR byte must indicate code segment, else #GP(Return eoecy) 
IF non-conforming 
THEN code segment DPL must = CPL; 
ELSE #GP(Return pene 
Fl; 
IF conforming 
THEN code segment DPL must be < CPL, else #GP(Return selector); 
Segment must be present, else #NP(Return selector); 
Instruction pointer must be within code segment boundaries, else #GP(0); 
Fl; 
IF OperandSize = 32 
THEN 
Load CS:EIP from stack; 
Load CS-register with new code segment descriptor; 
Load EFLAGS with third doubleword from stack; 
Increment eSP by 12; 
ELSE 
Load CS-register with new code segment desciister 
Load FLAGS with third word on stack; 
Increment eSP by 6; 
Fl; 


RETURN-OUTER-LEVEL: 
IF OperandSize = 32 
THEN Top 20 bytes on stack must be within limits, else #3838(0); 
ELSE Top 10 bytes on stack must be within limits, else #S83S(0); 
Fl; 
Examine return CS selector and associated descriptor: 
Selector must be non-null, else #GP(0); 
Selector index must be within its descriptor table limits; 
ELSE #GP(Return selector); 
AR byte must indicate code segment, else #GP(Return selector); 
IF non-conforming 
THEN code segment DPL must = CS selector RPL; 
ELSE #GP(Return selector); 
Fl; 
IF conforming 
THEN code segment DPL must be > i 
ELSE #GP(Return selector); 
Fl; 
Segment must be present, else #NP(Return selector); 


Examine return SS selector and associated descriptor: 
Selector must be non-null, else #GP(0); | 
Selector index must be within its descriptor table limits 
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ELSE “¥GP(SS saiciones | ; 
Selector RPL must equal the RPL of ihe return cs selector 
ELSE #GP(SS selector); : 
AR byte must indicate a writable data ccament else #GP(SS Sci-cion: 
Stack segment DPL must:.equal the RPL of the. return CS-selector . 
ELSE #GP(SS selector); 
SS must be present, else #NP(SS selector); 


Instruction pointer must be within code segment limit ELSE #GP(0); 
IF OperandSize = a2. 
THEN : 
Load CS:EIP from stack; _ : 
Load EFLAGS with values at (esP +8); 
ELSE 
Load CS:IP from stack; 
Load FLAGS with values at (eSP+ 4); 
Fl: 
Load SS:eSP trom stack; Bp es oe 
Set CPL to the RPL of the return cs sdiecor - 
Load the CS register with the CS descriptor; 
Load the SS register with the SS eecoraie 
FOR each of ES, FS, GS, and DS ~~ cA i i 
DO; REDE Dp 7B a! 
IF the current value of the register is not valid for he outer level; 
THEN zero the register and clear the valid flag; 
Fl: 
To be valid, the register setting must satisfy the following properties: - 
Selector index must be within descriptor table limits; : 
AR byte must indicate data or readable code segment; : 
IF segment is data or non-conforming code, . 
THEN DPL must be > CPL, or DPL must be < RPL; 
OD; _ ee i oe as Me 


Description 


In Real Address Mode, ties IRET instruction pops the instruction saeintet the CS reg- 
ister, and the flags register from the stack and resumes interrupted foutine. 


In Protected Mode, the action of the IRET instruction depends on the, eee of the 
nested task flag (NT) bit in the flag register. When.the new flag image is. popped from 
the stack, the IOPL bits in the flag register are changed only when CPL equals 0. 


If the NT flag is cleared, the IRET instruction returns from an interrupt procedure 
without a task switch. The code returned to must be equally or less privileged than the 
interrupt routine (as indicated by the RPL bits of the,CS selector popped from. the 
stack). If the destination code is less puvileeed, the ARET instruction also: ons oe stack 
pointer and SS from the stack. 3 Le as , ees 
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If the NT flag is set, the IRET instruction reverses the operation of a CALL or INT that 
caused a task switch. The updated state of the task executing the IRET instruction is 
saved in its task state segment. If the task is reentered later, the code that follows the 
IRET instruction is executed. 


Flags Affected 

All flags are affected: the flags register is popped from stack. 

Protected Mode Exceptions 

#GP, #NP, or #SS, as indicated under “Operation” above. 

Real Address Mode Exceptions | 

Interrupt 13 if any part of the operand being popped lies beyond address OFFFFH. — 


Virtual 8086 Mode Exceptions 


#GP(0) fault if the I/O privilege level is less than 3, to permit emulation. 
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77 
73 
72 
76 
72 
E3 
E3 
74 
74 
7F 
7D 
7C 
7E 


76 
72 
73 
77 


73 
75 
7E 
7C 
7D 
7F 


71 

7B 

79 

75 

70 

7A 

7A 

7B 

78 

74 cb 

OF 87 cw/cd 
OF 83 cw/cd 
OF 82 cw/cd 
OF 86 cw/cd 
OF 82 cw/cd 
OF 84 cw/cd 
OF 84 cw/cd 
OF 8F cw/cd 
OF 8D cw/cd 
OF 8C cw/cd 


Instruction 


JA rel8g 
JAE re/8g 


JB rel 


JBE re/lg 
JC relg 
JCXZ rel8 
JECXZ relg 
JE relg 

JZ relg 

JG relg 
JGE rel8g 
JL relg 
JLE relg 


JNA rel 


. JNAE re/8g 
' JNB re/l8g 


JNBE rel8 


JNC relg 
JNE re/g 
JNG relg 
JNGE re/g 
JNL rel8 
JNLE relg 


JNO rel8g 
JNP relg 
JNS re/g 
JNZ relg 
JO relg 


_ JP relg 


JPE re/8 
JPO rel8 


JS relg 


JZ rel8 

JA rel16/32 
JAE rel16/32 
JB rel16/32 
JBE rel16/32 
JC rel16/32 
JE rel16/32 
JZ rel16/32 


. JG rel16/32 


JGE rel16/32 
JL rel16/32 


INSTRUCTION SET 


3,1 
3,1 
3,1 
3,1 


ae 384 


8,5 
8,5 
3,1 


. 3,1 


3,1 


3;1 
3,1 
3,1 


‘Clocks. 
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Description 
Jump short if above (CF=0 and ZF =0) 
Jump short if above or equal (CF =0) 


| Jump short if below (CF =1) 


Jump short if below or equal (CF=1 or 2E = " 


Jump short if carry (CF =.1) 


Jump short if CX register is 0 
Jump short if ECX register is 0 
Jump short if equal (ZF = 1) 


. Jump short ifO (ZF= 1). 
Jump short if greater (ZF = 0 and SF= OF) 


Jump short if greater or equal (SF = OF) 
Jump short if less (SF<>OF) : 


Jump short if less or ou (ZF = 1 or 
SF<>OF) | 


Jump short if not above (CF=1 or ZF=1) 
Jump short if not above or equal (CF=1) 
Jump short if not below (CF =0) 


Jump short if not below or equal ox 0 and 


ZF =0)’ 

Jump short if not carry (CF =0) 

Jump short if not equal (ZF =0) 

Jump short if not greater (ZF =1 or SF<>OF) 
Jump short if not greater or equal (SF<>OF) 
Jump short if not less (SF = OF) 


Jump short if not less or equal (ZF =O and 
SF = OF) 


Jump short if not overflow (OF =0) 
Jump short if not parity (PF =0) 
Jump short if not sign (SF =0) 
Jump short if not zero (ZF =0) 
Jump short if overflow (OF = 1) 
Jump short if parity (PF = 1) 

Jump short if parity even (PF = 1) 
Jump short if parity odd (PF =0) 


~ Jump short if sign (SF = 1) 


Jump short if zero (ZF = 1) 

Jump near if above (CF=0 and ZF=0) 
Jump near if above or equal (CF =0) 
Jump near if below (CF=1) 

Jump near if below or equal (CF=1 or ZF=1) 
Jump near if carry (CF = 1) 

Jump near if equal (ZF = 1) 

Jump near if 0 (ZF =1) 

Jump near if greater (ZF =O and SF =OF) 
Jump near if greater or equal (SF = OF) 
Jump near if less (SF <>OF) 


Opcode | 

OF 8E cw/cd 
OF 86 cw/cd 
OF 82 cw/cd 
OF 83 cw/cd 
OF 87 cw/cd 


OF 83 cw/cd 
OF 85 cw/cd 
OF 8E cw/cd 
OF 8C cw/cd 
OF 8D cw/cd 
OF 8F cw/cd 


OF 81 cw/cd 
OF 8B cw/cd 
OF 89 cw/cd 
OF 85 cw/cd 
OF 80 cw/cd 
OF 8A cw/cd 


OF 8A cw/cd 


OF 8B cw/cd 
OF 88 cw/cd 


OF 84 cw/cd 


Instruction 
JLE rel16/32 
JNA rel16/32 
JNAE re/16/32 
JNB rel16/32 
JNBE rel16/32 


JNC rel16/32 
JNE rel16/32 
JNG rel16/32 
JNGE rel16/32 
JNL re/16/32 
JNLE re/16/32 


JNO rel16/32. 


JNP rel16/32 | 


JNS rel16/32 
JNZ rel16/32 
JO rel16/32 
JP rel16/32 
JPE rel16/32 
JPO rel16/32 


JSS rel16/32 


JZ rel16/32 


INSTRUCTION SET 


~ Clocks 
3,1. 


3,1 
3,1 
3,1 
3,1 


3,1 
3,1 
3,1 
3,1 
3,1 
3,1 


3,1 
3,1 
3,1 
3,1 
3,1 


a 


3,1 
3,1 


3,1 
3,1 


Description 

Jump near if less or equal (ZF =1 or SF< > OF) 
Jump near if not above (CF=1 or ZF=1) 
Jump near if not above or equal (CF=1) 

Jump near if not below (CF =0) 

ul Ne if not below or equal (CF =0 and 


Jump near if not carry (CF =0) 

Jump near if not equal (ZF = 0) igi 
Jump near if not greater (ZF =1 or SF< > OF) 
Jump near if not greater or equal (SF < >OF) 
Jump near if not less (SF= OF) . 

rele ie if not less or equal (ZF = 0 and 


Jump near if not overflow (OF =0) 
Jump near if not parity (PF =0) 


Jump near if not sign (SF=0). 


Jump near if not,zero (ZF =0) 


Jump near if overflow (OF = 1) 


Jump near if parity (PF =1) 
Jump near if parity even (PF = 1) 
Jump near if parity odd (PF =0) 
Jump near if sign (SF =1) 7 
Pee near if O (ZF =1) 


NOTES: The first clock count is for the true condition (branch taken); the second clock count is for the false condition 
(branch not taken). re/16/32 indicates that these instructions map to two; one with a 16-bit relative displacement, 
the other with a 32-bit relative displacement, depending on the operand- -size attribute of the instruction. 


Operation 


IF condition 

THEN 
EIP < EIP + SignExtend(rel8/16/32); 
IF OperandSize = 16 
THEN EIP <— EIP AND OOOOFFFFH; 
Fl; 

Fl; 


Description 


Conditional jumps (except the JCXZ instruction) test the flags which have been set by a 
previous instruction. The conditions for each mnemonic are given in parentheses after 
each description above. The terms “less” and “greater” are used for comparisons of 
signed integers; “above” and “below” are used for unsigned integers. | 


If the given condition is true, a jump is made to the location provided as the operand. 
Instruction coding is most efficient when the target for the conditional jump is in the 
current code segment and within —128 to +127 bytes of the next instruction’s first byte. 
The jump can also target —32768 thru +32767 (segment size attribute 16) or —2° thru 
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+23!—1 (segment size attribute 32) relative to the next instruction’s first byte. When the 
target for the conditional jump is in a different segment, use the opposite case of the 
jump instruction (i.e., the JE and JNE instructions), and then access the target with an 
unconditional.far jump to the other segment. For example, you cannot code — 


JZ FARLABEL; 
You must instead code — 


- JNZ BEYOND; - 
JMP FARLABEL; 
BEYOND: : 


Because there can be Several ways to interpret a particular state of the flags, ASM386 
provides more than one mnemonic for most of the conditional jump opcodes. For exam- 
ple, if you compared two characters in AX and want to jump if they are equal, use the JE 
instruction; or, if you ANDed the AX register with a bit field mask and only want to 
jump if the pee is 0, use the JZ instruction, a synonym for the JE instruction. | 


The JCXZ instruction differs from other conditional j jumps bebause it tests the contents 
of the CX or ECX register for 0, not the flags. The JCXZ instruction is useful at the 
beginning of a conditional loop that terminates with a conditional loop instruction (such 
as LOOPNE TARGET LABEL. The JCXZ instruction prevents entering the loop with 
the CX or ECX register equal to ZerO, which would cause the loop to execute 64K or 26 
times instead of zero times. 


Flags Affected 


None. 


Protected Mode Exceptions 


 #GP(0) if the offset jumped to is beyond the limits of the code segment. 
Real Address Mode Exceptions ve 

None. _ 

Virtual 8086 Mode Exceptions == 

Mee = 


26-180: 


intel ; INSTRUCTION SET 


Notes 


The JCXZ instruction takes longer to execute than a two-instruction sequence which 
compares the count register to zero and jumps if the count is zero. 


All branches are converted into 16-byte code fetches regardless of jump address or 
cacheability. 7 : 
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Instruction. 


JMP re/8g 
JMP re/16 


- Clocks: ..: 


JMP 1/m16 

JMP ptr16:16 
JMP ptr16:16 
JMP ptr16:16 
JMP ptr16:16 
JMP m16:16 
JMP m16:16 
JMP m16:16 
JMP m16:16 
JMP rel32 


JMP r/m32 

JMP ptr16:32 
JMP pitr16:32 
JMP ptr16:32 
JMP pir16:32 
JMP m16:32 
JMP m16:32 
JMP m16:32 
JMP m16:32 


NOTE: Values of ts are given by the following table: 


) 


' Old Task 


Operation 


IF instruction = relative JMP 

(* i.e. operand is re/8, re/16, or rel32 *) 
THEN 

EIP < EIP + rel8/16/32; 

IF OperandSize = 16 

THEN EIP < EIP AND OQOOOFFFFH; 

Fl: 
Fl; 


IF instruction = near indirect JMP 
(* i.e. operand is r/m16 or r/m32 *) 
THEN | 
IF OperandSize = 16 
THEN 
EIP — [r/m16] AND QOOOFFFFH; 


26-182. 


to Intela4g6™ CPU TSS to 80286 TSS | toVMTSS 


INSTRUCTION SET 


Description — 


“Jump short ca 


Jump near, displacement relative to next instruc- 
tion . _ 
Jump near indirect © a . 
Jump intersegment, 4-byte immediate address: .. 
Jump to call gate, same privilege 

Jump via task state segment 


Jump via task gate 


Jump r/m16:16 indirect and intersegment 
Jump to call gate, same privilege 

Jump via task state segment 

Jump via task gate 

Jump near, displacement relative to next instruc- 
tion 

Jump near, indirect 

Jump intersegment, 6-byte immediate address 
Jump to call gate, same privilege | 

Jump via task state segment 

Jump via task gate . 

Jump intersegment, address at r/m dword 
Jump to call gate, same privilege 

Jump via task state segment 

Jump via task gate 
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ELSE (* OperandSize = 32 *) 
EIP — [r/m32; 

Fl; : 

Fl; 


IF (PE = 0 OR (PE = 1 AND VM = 1)) (* real mode or V86 mode *) 
AND instruction = far JMP 
(* i.e., operand type is m16:16, m16:32, ptr16:16, pine 32 *) 
THEN GOTO REAL-OR-V86-MODE; 
IF operand type = m76:16 or m16:32 
THEN (* indirect *) 
IF OperandSize = 16 
THEN 
CS:IP — [m16:16]; | 
EIP < EIP AND OOOOFFFFH; (* clear upper 16 bits *) | 
ELSE (* OperandSize = 32 *) 
CS:EIP — [m16:32]; 


Fl; 
Fl; 
IF operand type = ptr16:16 or ptr16:32 
THEN 

IF OperandSize = 16 

THEN 


CS:IP <— ptr16:16; | 
EIP <— EIP AND OOOOFFFFH: (* clear upper 16 bits *) 
ELSE (* OperandSize = 32 *) 
CS:EIP < ptr16:32; 
Fl; 
Fl; 
FA; 


IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode *) 
AND instruction = far JMP | 
THEN 
IF operand type = m16:16 or m16:32 
THEN (* indirect *) 
check access of EA dword; 
#GP(0) or #SS(0) IF limit violation; 
Fl; 
Destination selector is not null ELSE #GP(0) | 
Destination selector index is within its descriptor table limits ELSE #GP(selector) 
Depending on AR byte of destination descriptor: 
GOTO CONFORMING-CODE-SEGMENT; 
GOTO NONCONFORMING-CODE-SEGMENT; 
GOTO CALL-GATE; 
GOTO TASK-GATE; 
GOTO TASK-STATE-SEGMENT; 
ELSE #GP(selector); (* illegal AR byte in descriptor *) 
FI; 7 : | 
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CONFORMING-CODE-SEGMENT: 
Descriptor DPL must be = CPL ELSE #GP(selector); 
Segment must be present ELSE #NP(selector); 
Instruction pointer must be within code-segment limit ELSE #GP(0); 
IF OperandSize = 32 
THEN Load CS:EIP from destination pointer; 
ELSE Load CS:iP from destination pomler 
FI; 
Load CS register with new arent descriptor; 


NONCONFORMING- CODE- SEGMENT: 
RPL of destination selector must be < CPL ELSE #GP(selector): 
Descriptor DPL must be = CPL ELSE #GP(selector); 
Segment must be present ELSE # NP(selector); 
Instruction pointer must be within code-segment limit ELSE #GP(0); 
IF OperandSize = 32 ee 4 
THEN Load CS:EIP from destination pointer; 
ELSE Load CS:IP from destination pointer; 
FI; 
Load CS register with new segment descriptor; 
Set RPL field of CS register to CPL; 


CALL-GATE: 
Descriptor DPL must be = CPL ELSE #GP(gate selector); 


Descriptor DPL must be = gate selector RPL ELSE #GP(gate selector); | 4 


Gate must be present ELSE #NP(gate selector); 
Examine selector to code segment given in call gate descriptor: 
Selector must not be null ELSE #GP(0); 
Selector must be within its descriptor table limits ELSE 
#GP(CS selector); 
Descriptor AR byte must indicate code segment 
ELSE #GP(CS selector); 
IF non-conforming 
THEN code-segment descriptor DPL must = CPL. 
ELSE #GP(CS selector); 
Fl; 
IF conforming , 
THEN code-segment descriptor DPL must be <=. CPL; 
ELSE #GP(CS selector); 
Code segment must be present ELSE #NP(CS saiseion: 
Instruction pointer must be within eee. orn limit ELSE #GP(0); 
IF OperandSize = 32 — 
THEN Load CS:EIP from call gate; 
ELSE Load CS:IP from call gate; 
Fl; | en ae 
Load CS register with new code-segment deccapion | 
Set RPL of CS to CPL 


TASK-GATE: 
Gate descriptor DPL must be | > CPL ELSE  #GP gate aclecion: 
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Gate descriptor DPL must be = gate selector RPL ELSE Heat (Gate selector); 
- Task Gate must be present ELSE #NP(gate selector); 

Examine selector to TSS, given in Task Gate descriptor: | 

Must specify global in the local/global bit ELSE #GP(TSS selector); 

Index must be within GDT limits ELSE #GP(TSS selector); 

Descriptor AR byte must specify available TSS (bottom bits 00001); 

ELSE #GP(TSS selector); 

Task State Segment must be present ELSE #NP(TSS selector); 
SWITCH-TASKS (without nesting) to TSS; 
Instruction pointer must be within code-segment limit ELSE #GP(0); 


TASK-STATE-SEGMENT: 
TSS DPL must be = CPL ELSE #GP(TSS selector); 
TSS DPL must be = TSS selector RPL ELSE #GP(TSS selector); 
Descriptor AR byte must specify available TSS (bottom bits 00001) 

ELSE #GP(TSS selector); 

Task State Segment must be present ELSE #NP(TSS selector); 
SWITCH-TASKS (without nesting) to TSS; 
Instruction pointer must be within code-segment limit ELSE #GP(0); 


ca ec 


The. JMP- instruction transfers control to. a different point in the instruction stream 
without recording return information. | 7 


The action of the various forms of the instruction are shown below. 


Jumps with destinations of type r/m16, r/m32, rel16, and rel32are near jumps and do not 
involve changing the segment register value. 


The JMP re/16 and JMP re/32 forms of the instruction add an offset to the address of the 
instruction following the JMP to determine the destination. The re/16 form is used when 
the instruction’s operand-size attribute is 16 bits (segment size attribute 16 only); re/32 is 
used when the operand-size attribute is 32 bits (segment size attribute 32 only). The 
result is stored in the 32-bit EIP register. With re/16, the upper 16 bits of the EIP register 
are cleared, which results in an offset whose value does not exceed 16 bits. 


The JMP r/m16 and JMP r/m32 forms specify a register or memory location from which 
the absolute offset from the procedure is fetched. The offset fetched from 1/m is 32 bits 
for an operand-size attribute of 32 bits (r/m32), or 16 bits for an operand-size attribute of 
16 bits (1/m16). 


The JMP pir16:16 and pir16:32 forms of the instruction use a four-byte or six-byte oper- 
and as a long pointer to the destination. The JMP m16:16 and m16:32 forms fetch the 
long pointer from the memory location specified (indirection). In Real Address Mode or 
Virtual 8086 Mode, the long pointer provides 16 bits for the CS register and 16 or 32 bits 
for the EIP register (depending on the operand-size attribute). In Protected Mode, both 
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long pointer forms consult the Access Rights (AR) byte in the descriptor indexed by the 
selector part of the long pointer. Depending on the value. of the AR byte, the’) tmp will 
perform one of the following types of control transfers: 


e A jump to a code segment at the same privilege level 
e A task switch | 


For more information on eee mode control bansiers, ‘refer. to Chapter 6 and 
Chapter 7. . | 


Flags Affected 


All if a task switch takes ore none if no task switch occurs. 


Protected Mode Exceptions | 
Far jumps: #GP, oY #SS, and #TS, as indicated in the list above. 


Near direct jumps: #GP(0) if procedure location is beyond the code ett limits; 
#AC for unaligned memory reference if the current privilege level is 3. 


Near indirect jumps: #GP(0) for an illegal memory operand effective address in the CS, 
DS, ES, FS, or GS segments: #SS(0) for an illegal address in the SS segment; #GP if the 


indirect offset obtained is beyond the code segment limits; #PF(fault- code) for a page 
fault; #AC for unaligned memory reference if the c current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would be outside of the effective address spare 
from 0 to OFFFFH. . | : 


Virtual 8086 Mode Exceptions 


Same exceptions as under Real Address Mode; #PF(fault- code) for a page fault; #AC 
for uneenee sag reference it oe current peur’ Ae is oe 


Notes | 


All branches are converted into 16- -byte code fetches regardless of jump address or 
cacheability. 
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LAHF — Load Flags into AH Register 


Operation 


AH <— SF:ZF:xx:AF:xx:PF:xx:CF; 


Description oe 
The LAHF instruction transfers the low byte of the flags word to the AH register. The 


bits, from MSB to LSB, are sign, zero, indeterminate, auxiliary, carry, indeterminate, 
parity, indeterminate, and carry. 


Flags Affected 

None. 

Bieteetwe Mode Exceptions 

None. 

Real Address Mode Exceptions _ 
None. 

Virtual 8086 Mode Exceptions 


None. 
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-LAR—Load Access Rights Byte 


Opcode Instruction _ Clocks Description 


OF 02/r . LAR r16,r/m16 41/11 r16 — r/m16 masked by FFOO. 
OF 02/r © LAR £r32,r/m32__ 11/11 ae r32 <— r/m32 masked by OOFxFF00 


Description 


The LAR instruction stores a marked form of the second doubleword of the descriptor 
for the source selector if the selector is visible at the current privilege level (modified by 
the selector’s RPL) and is a valid descriptor type within the descriptor limits. The des- 
tination register is loaded with the high-order doubleword of the descriptor masked by 
OOFxFFO0O, and the ZF flag is set. The x indicates that the four bits corresponding to the 
upper four bits of the limit are undefined in the value loaded by the LAR instruction. If 
the selector is invisible or of the wrong type, the ZF flag is cleared. 


If the 32-bit operand size is specified, the entire 32-bit value is loaded into the 32-bit 
destination register. If the 16-bit operand size is specified, the lower 16-bits of this value 
are stored in the 16-bit destination register. : 7 


All code and data segment descriptors are valid for the LAR instruction. 


The valid special segment and gate descriptor types for the LAR instruction are given in 


i following table: | 
[versie 


Invalid | Invalid 
Available 286 TSS Valid 
LDT ~ Valid 
Busy 286 TSS Valid 
286 call gate Valid 
286/Intel486™ task gate Valid : 
286 trap gate Invalid 
286 interrupt gate Invalid 
Invalid Invalid 
Available Intel486 TSS Valid 
Invalid Invalid 
Busy Intel486 TSS Valid 
Intel486 call gate Valid 
Invalid Invalid 
Intel486 trap gate. Invalid 
Intel486 interrupt gate Invalid 


0 
1 
2 
3 
4 
5 
6 ; 
7 
8 
] 
A 
B 
C 
D 
E 
F 


Flags Affected 


The ZF flag is set unless the selector is invisible or of the wrong type, in which case the 
ZF flag is cleared. 
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Protected Mode Exceptions 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 


segments; #SS(0) for an illegal address in the SS segment; #PF(fault- code) for a page 
fault; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 6; the LAR instruction is unrecognized in Real Address Mode. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode. 
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LEA —Load Effective Address 


Opcode. _ Instruction. Clocks = = - °° -  ___ Description 


8D /r LEA rI6gm 1 rey Store effective address for m in register 16 


8D /r - LEA r32,m | ede EG » Weg 4 i Store effective address for m in register. r32 
8D /r LEA r16,m 1 Store effective address for m in register r76 
8D /r LEA r32,.m 1 Store effective address for m in register r32 


Operation 


IF OperandSize = 16 AND AddressSize = 16 
THEN r16 <— Addr(m); 


ELSE | 
IF OperandSize = 16 AND AddressSize = 32 
THEN , 
r16 <— Truncate_to_16bits(Addr(m)); (* 32-bit address * 
ELSE 
IF OperandSize = 32 AND AddressSize = 16 
THEN 
r32 <— Truncate_to_16bits(Addr(m)); 
ELSE 
IF OperandSize = 32 AND AddressSize = 32 
THEN 132 < Addr(m): 
Fl; 
Fl; 
Fl; 
Fl; 
Description 


The LEA instruction calculates the effective address (offset part) and stores it in the 
specified register. The operand-size attribute of the instruction (represented by Oper- 
andSize in the algorithm under “Operation” above) is determined by the chosen regis- 
ter. The address-size attribute (represented by AddressSize) is determined by the USE 
attribute of the segment containing the second operand. The address-size and operand- 
size attributes affect the action performed by the LEA instruction, as follows: 


Operand Size | Address Size , Action Performed 


16 16 16-bit effective address is calculated and stored in requested 
16 32 
32 16 
32 32 


16-bit register destination. 


32-bit effective address is calculated. The lower 16 bits of the 
address are stored in the requested 16-bit register destination. 


16-bit effective address is calculated. The 16-bit address is zero- 
extended and stored in the requested 32-bit register destination. 


32-bit effective address is calculated and stored in the requested 
32-bit register destination. 
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Flags Affected 


None. 


Protected Mode Exceptions — 


#UD if the second operand is a register. 


Real Address Mode Exceptions 


Interrupt 6 if the second operand is a register. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode. 
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LEAVE —High Level Procedure Exit — 


Clocks - Description 


5 Set SP to BP, then pop BP 
5 Set ESP to EBP, then pop EBP 


Operation 


IF StackAddrSize = 16 

THEN 
SP < BP; 

ELSE (* StackAddrSize = 32 *) | 
ESP <— EBP: 

FI; 

IF OperandSize = 16 

THEN 
BP < Pop(); 

ELSE (* OperandSize = 32 *) 
-EBP <— Pop(; | 

Fl; 


Description 

The LEAVE instruction reverses the actions of the ENTER instruction. By copying the 
frame pointer to the stack pointer, the LEAVE instruction releases the stack space used 
by a procedure for its local variables. The old frame pointer is popped into the BP or 


EBP register, restoring the caller’s frame. A subsequent RET nn instruction removes any 
arguments pushed onto the stack of the exiting procedure. 


Flags Affected 


None. 


Protected Mode Exceptions 


#SS(0) if the BP register does not point to a location within the limits of the current 
stack segment. | 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode. 
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LGDT/LIDT — Load Global/Interrupt Descriptor Table Register 


Instruction ‘Clocks Description: 
LGDT m16&32 11 Load m into GDTR 


LIDT m16&32 11 Load m into IDTR 


Operation 


IF instruction = LIDT 

THEN 
IF OperandSize = 16 . _ ee 
THEN IDTR.Limit:Base — m16:24 (* 24 bits of base loaded *) 
ELSE IDTR.Limit:Base — m16:32 
Fl: 

ELSE (* instruction = LGDT *) 
IF OperandSize = 16 
THEN GDTR.Limit:Base — 16:24 (* 24 bits of base loaded *) © 
ELSE GDTR.Limit:Base — m16:32; 
Fl: 

FI; 


Description 


The LGDT and LIDT instructions load a linear base address and limit value from a 
six-byte data operand in memory into the GDTR or IDTR, respectively. If a 16-bit 
operand is used with the LGDT or LIDT instruction, the register is loaded with a 16-bit 
limit and a 24-bit base, and the high-order eight bits of the six-byte data operand are not 
used. If a 32-bit operand is used, a 16-bit limit and a 32-bit base is loaded; the high-order 
eight bits of the six-byte operand are used as high-order base address bits. 


The SGDT and SIDT instructions always store into all 48 bits of the six-byte data oper- 
and. With the 80286 processor, the upper eight bits are undefined after the SGDT or 
SIDT instruction is executed. With the Intel386 DX or Intel486 processors, the upper 
eight bits are written with the high-order eight address bits, for both a 16-bit operand 
and ‘a 32-bit operand. If the LGDT or LIDT instruction is used with a 16-bit operand to 
load the register stored by the SGDT or SIDT instruction, the upper eight bits are 
stored as zeros. | 


The LGDT and LIDT instructions appear in operating system software; they are not 
used in application programs. They are the only instructions that directly load a linear 
address (i.e., not a segment relative address) in Protected Mode. 


Flags Affected 
None. 
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Protected Mode Exceptions 
#GP(0) if the current privilege level is not 0; #UD if the source operand is a register; 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or.GS 


segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH; Interrupt 6 if the source operand 1s a register. | 


Note: These instructions are valid in Real Address Mode to allow power- up initialization 
for Protected Mode. | 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault. 
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LGS/LSS/LDS/LES/LFS — Load Full Pointer 


Opcode ~ Instruction Clocks . . Description 


C5 /r LDS r16,m16:16 6/12 Load DS:r16 with pointer from memory 
C5 /r LDS r32,m16:32 6/12 Load DS:r32 with pointer from memory 
OF B2 /r LSS r16,m16:16 612 Load SS:r16 with pointer from memory 
OF B2/r LSS r32,m16:32 6/12 . Load SS:r32 with pointer from memory 


C4 /r LES r16,m16:16 6/12 Load ES:r16 with pointer from memory. 
C4 /r LES r32,m16:32 6/12 Load ES:r32 with pointer from memory 
OF B4/r LFS r16,m16:16 6/12 Load FS:r16 with pointer from memory 
OF B4/r LFS r32,m16:32 6/12 Load FS:r32 with pointer from memory 
OF B5 /r LGS r16,m16:16 6/12 Load GS:r16 with pointer from memory 
OF B5 /r LGS 132,m16:32 6/12 : Load GS:r32 with pointer from memory 


Operation 


CASE instruction OF 

LSS: Sreg is SS; (* Load SS register *) 

LDS: Sreg is DS; (* Load DS register *) 

LES: Sreg is ES; (* Load ES register *) - 

LFS: Sreg is FS; (* Load FS register *) = . 

LGS: Sreg is DS; (* Load GS register *) 
ESAC; | 
IF (OperandSize = 16) 
THEN 

r16 <— [Effective Address]; (* 16-bit transfer *) . 

Sreg < [Effective Address + 2]; (* 16-bit transfer *) 

(* In Protected Mode, load the BeScupler into the Seoen eee *) 
ELSE (* OperandSize = 32 *) 

r32 < [Effective Address]; (* 32-bit transfer *) 

Sreg < [Effective Address + 4]; (* 16-bit transfer *) — 

(* In Protected Mode, load the descriptor into the segment register *) 
Fl; 


Description 


The LGS, LSS, LDS, LES, and LFS instructions read a full pointer from memory and 
store it in the selected segment register:register pair. The full pointer loads 16 bits into 
the segment register SS, DS, ES, FS, or GS. The other register loads 32 bits if the 
operand-size attribute is 32 bits, or loads 16 bits if the operand-size attribute is 16 bits. 
The other 16- or 32-bit register to be loaded is determined by the r716 or r32 register 
operand specified. 


When an age are is Te to: one of the ceca registers, the descriptor is-also 
loaded into the segment’ register. The data for the beter is obtained from the descrip- 
tor table entry for the selector given. 2 
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A null selector faites 0000- 0003) « can be loaded into DS, ES, FS, or GS registers with- 
out causing a protection exception. (Any subsequent reference to a segment whose cor- 
responding segment register is loaded with a null selector to address memory causes a 
#GP(0) pc as No my reference to the segment occurs. es 7 


The following i is a listing of the Protected Mode checks Ate actions taken i in the loading 
of a segment register: 7 ; | 


IF SS is loaded: 7 
IF selector is null THEN #GP(0); Fl; 
_ Selector index must be within its descriptor table limits ELSE ~ 
#GP(selector); 
Selector’s RPL must equal CPL ELSE #GP(selector); 
AR byte must indicate a writable data segment ELSE #GP(selector): 
DPL in the AR byte must equal CPL ELSE #GP(selector); 
~ Segment must be marked present ELSE #SS(selector); 
Load SS with selector; | 
Load SS with descriptor; 


IF DS, ES, FS, or GS is loaded with non-null selector: 
Selector index must be within its descriptor table limits ELSE 
#GP(selector); 
AR byte must indicate data or readable code segment ELSE 
#GP (selector); 
IF data or nonconforming code 
THEN both the RPL and the CPL must be ESS than or peas to hes in. 
AR byte; 
ELSE #GP(selector); a. cae a —* 
Segment must be marked Breet ELSE #NP(selecton): 
Load segment register with selector and RPL bits; 
Load segment register with ail : 


IF DS, ES, FS or GS is loaded with a null selector: 


Load segment register with selector; 
Clear descriptor valid bit; 


Flags Affected 

None.. | 

Protected Mode Exceptions — 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; the second operand must be 
a memory operand, not a register—if a register then #UD Fault; #GP(0) if a null 


selector is loaded into SS; #PF(fault- code) fora page fault; ee for ia oa ee 
reference if the current privilege level is 3. - mee 
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Real Address Mode Exceptions 


The second operand must be a memory operand, not a register; Interrupt 13 if any part 
of the operand would lie outside of the effective address space from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode: #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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LLDT—Load Local Descriptor Table Register ~~ 


Opcode Instruction’ =. Gn ce a i eruenon 


OF 00 /2 PO MELDT r/m16: | 56 MA 8 SP : Load selector r/mi6 into’ LOTR” 


Operation 
LDTR < SRC; 
Description 


The LLDT instruction loads the Local Descriptor Table register (LDTR). The word 
operand (memory or register) to the LLDT instruction should contain a selector to the 
Global Descriptor Table (GDT). The GDT entry should be a Local Descriptor Table. If 
so, then the LDTR is loaded from the entry. The descriptor registers DS, ES, SS, FS, 
GS, and CS are not affected. The LDT field in the task state segment does not change. 


The selector operand can be 0; if so, the LDTR is marked invalid. All descriptor refer- 
ences (except by the LAR, VERR, VERW or LSL instructions) cause a #GP fault. 


The LLDT instruction is used in operating system software; it is not used in application 
programs. 


Flags Affected 


None. 


Protected Mode Exceptions 


#GP(0) if the current privilege level is not 0; #GP(selector) if the selector operand does 
not point into the Global Descriptor Table, or if the entry in the GDT is not a Local 
Descriptor Table; #NP(selector) if the LDT descriptor is not present; #GP(0) for an 
illegal memory operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) 
for an illegal address in the SS segment; #PF(fault-code) for a page fault. 


Real Address Mode Exceptions 


Interrupt 6; the LLDT instruction is not recognized in Real Address Mode. 


Virtual 8086 Mode Exceptions © 


Sane exceptions as in Real Address Mode (because the instruction is not recognized, it 
will not execute or perform a memory reference). 
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Note 


The operand-size attribute has no effect on this instruction. 
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LMSW —Load Machine Status Word 


Operation 


MSW < r/m76; (* 16 bits is stored in the machine status word *) 


Description 

The LMSW instruction loads the machine status word (part of the CRO register) from 
the source operand. This instruction can be used to switch to Protected Mode; if so, it 
must be followed by an intrasegment jump to flush the instruction queue. The LMSW 
instruction will not switch back to Real Address Mode. | 


The LMSW instruction is used only in operating system software. It is not used in appli- 
cation programs. | 


Flags. Affected 


None. 


Protected Mode Exceptions 
#GP(0) if the current privilege level is not 0; #GP(0) for an illegal memory operand 


effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in © | 
the SS segment; #PF(fault-code) for a page fault. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Protected Mode; #PF(fault-code) for a page fault. 


Notes 


The operand-size attribute has no effect on this instruction. This instruction is provided 
for compatibility with the 80286 processor; programs for the Intel486 processor should 
use the MOV CRO, ... instruction instead. The LMSW instruction does not affect the PG 
or ET bits, and it cannot be used to clear the PE bit. | 


26-200. 


intel . | INSTRUCTION SET 


LOCK — Assert LOCK# Signal Prefix 


Description 


The LOCK prefix causes the LOCK# signal of the Intel486 processor to be asserted 
during execution of the instruction that follows it. In a multiprocessor environment, this 
signal can be used to ensure that the Intel486 processor has exclusive use of any shared 
memory while LOCK# is asserted. The read-modify-write sequence typically used to 
implement test-and-set on the Intel486 processor is the BTS instruction. 


The LOCK prefix functions only with the following instructions: 


BTS, BTR, BTC mem, reg/imm 
XCHG . | reg, mem 
XCHG mem, reg 
ADD, OR, ADC, SBB, AND, SUB, XOR | mem, reg/imm 
NOT, NEG, INC, DEC mem 


CMPXCHG, XADD 


An undefined opcode trap will be generated if a LOCK prefix is used with any instruc- 
tion not listed above. 


The XCHG instruction always asserts LOCK# regardless of the presence or absence of 
the LOCK prefix. 


The integrity of the LOCK prefix is not affected by the alignment of the memory field. 
Memory locking is observed for arbitrarily misaligned fields. 


Flags Affected 


None. 


Protected Mode Exceptions 


#UD if the LOCK prefix is used with an instruction not listed in the “Description” 
section above; other exceptions can be generated by the subsequent (locked) instruction. 


Real Address Mode Exceptions 


Interrupt 6 if the LOCK prefix is used with an instruction not listed in the “Description” 
section above; exceptions can still be generated by the subsequent (locked) instruction. 
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Virtual 8086 Mode Exceptions 


#UD if the LOCK prefix is used with an instruction not listed in the “Description” 
section above; exceptions can still be generated by the subsequent (locked) instruction. 
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LODS m8 Load byte [(E)SI] into AL 
LODS m16 Load word [(E)Sl] into AX 


LODS m32 Load dword [(E)SI] into EAX 
LODSB Load byte DS:[(E)SI] into AL” 
LODSW ; Load word DS:[(E)SI] into AX 
LODSD Load dword DS:[(E)SI] into EAX 


Operation — 


AddressSize = 16 | 
THEN use SI for source-index 
ELSE (* AddressSize = 32 *) 
use ESI for source-index; 
FI; 
IF byte type of instruction . 
THEN 
AL < [source-index]; (* byte load *) 
IF DF = 0 THEN IncDec < 1 ELSE IncDec <— —1; FI; 
ELSE | 
. IF OperandSize = 16 
THEN | ~ - 
AX < [source-index]; (* word load *) 
IF DF = 0 THEN IncDec < 2 ELSE IncDec < —2; FI; 
ELSE (* OperandSize = 32 *) 
EAX < [source-index]; (* dword load *) 
IF DF = O THEN IncDec < 4 ELSE IncDec < —4; FI; 
Fl; 
Fl; 
source-index < source-index + IncDec 


Description 


The LODS instruction loads the AL, AX, or EAX register with the memory byte, word, 
or doubleword at the location pointed to by the source-index register. After the transfer 
is made, the source-index register is automatically advanced. If the DF flag is 0:(the 
CLD instruction was executed), the source index increments; if the DF flag is 1 (the 
STD instruction was executed), it decrements. The increment or decrement is 1 if a byte 
is loaded, 2 if a word is loaded, or 4 if a doubleword is loaded. 


If the address-size attribute for this instruction is 16 bits, the SI register is used for the 
source-index register; otherwise the address-size attribute is 32 bits, and the ESI register 
is used. The address of the source data is determined solely by the contents of the ESI or 
SI register. Load the correct index value into the SI register before executing the LODS 
instruction. The LODSB, LODSW, and LODSD instructions are synonyms for the byte, 
word, and doubleword LODS instructions. 
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The LODS instruction can be preceded by the REP prefix; however, the LODS instruc- 
tion is used more typically within a LOOP construct, because further Piocessing of the 
data moved into the EAX, AX, or AL register is usually necessary. | 


Flags Affected 


None. 


Protected Mode Exceptions 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 


segments; #SS(0) for an illegal address in the SS segment; #PF(fault- code) for a page 
fault; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. | 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault- -code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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LOOP/LOOPcond — Loop Control with CX Counter 


Instruction Clocks Description 


LOOP rel8g 2,6 DEC count; jump short if count <> 0 
LOOPE rel8 9,6 DEC count; jump short if count <> 0 and ZF=1 


LOOPZ rel8g 9,6 DEC count; jump short if count <> 0 and ZF=1 
LOOPNE re/8 9,6 DEC count; jump short if count <> 0 and ZF=0 
LOOPNZ re/g - 9,6 : DEC count; jump short if count <> 0 and ZF=0 


Operation 


IF AddressSize = 16 THEN CountReg is CX ELSE CountReg is ECX; FI; 
CountReg < CountReg — 1; 


IF instruction <> LOOP 

THEN 3 

IF (instruction = LOOPE) OR (instruction = LOOPZ) 
THEN BranchCond < (ZF = 1) AND (CountReg <> 0); 
Fl; 
IF (instruction = LOOPNE) OR (instruction = LOOPNZ) 
THEN BranchCond < (ZF = 0) AND (CountReg <> 0); 
Fl; — | 

Fl; 


IF BranchCond 
THEN 
IF OperandSize = 16 
THEN 
IP <— IP + SignExtend(re/é); 
ELSE (* OperandSize = 32 *) 
EIP <— EIP + SignExtend(re/g); 
Fl; 
Fl; 


Description 


- The LOOP instruction decrements the count register without changing any of the flags. 
Conditions are then checked for the form of the LOOP instruction being used. If the 
conditions are met, a short jump is made to the label given by the operand to the LOOP 
instruction. If the address-size attribute is 16 bits, the CX register is used as the count 
register; otherwise the ECX register is used. The operand of the LOOP instruction must 
be in the range from 128 (decimal) bytes before the instruction to 127 bytes ahead of the 
instruction. 


The LOOP instructions provide iteration control and combine loop index management 
with conditional branching. Use the LOOP instruction by loading an unsigned iteration 
count into the count register, then code the LOOP instruction at the end of a series of 
instructions to be iterated. The destination of the LOOP instruction is a label that points 
to the beginning of the iteration. 
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| Flags Affected 
None. 
Protected Mode Exceptions 


#GP(0) if the offset jumped to iS beyond the limits of the current t code segment. 


Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


None. 


Notes 

The unconditional LOOP instruction ‘takes longer to. execute than a two- instruction 
sequence which decrements the count register é and jumps if the count does not equal 
Zero. 


All branches are converted into 16-byte eae fetches regardless of jump address. or 
cacheability. | 


26-206. 


intel. INSTRUCTION SET 


LSL—Load Segment Limit 


Opcode Instruction Clocks Description 


OF 03 /r LSL r16,r/m16 10/10 Load: r76 — segment limit, selector r/m16 (byte 
OF 03 /r LSL 132,r/m32 10/10 idee <— segment limit, selector r/m32 (byte 
OF 03 /r LSL r76,r/m16 10/10 | ‘ eee? <— segment limit, selector r/m16 (page 
OF 03 /r LSL r32,r/m32 | 10/10 | toad 3 <— segment limit, selector r/m32 (page 


_ Description 


The LSL instruction loads a register with an unscrambled segment limit, and sets the ZF 
flag, provided that the source selector is visible at the current privilege level and RPL, 
within the descriptor table, and that the descriptor is a type accepted by the LSL instruc- 
tion. Otherwise, the ZF flag is cleared, and the destination register is unchanged. The 
segment limit is loaded as a byte granular value. If the descriptor has a page granular 
segment limit, the LSL instruction will translate it to a byte limit before loading it in the 
destination register (shift left 12 the 20-bit “raw” limit from descriptor, then OR with | 
QOOOOFFFH). | 


The 32-bit forms of the LSL instruction store the 32-bit byte granular limit in the 32-bit 
destination register. 


Code and data segment descriptors are valid for the LSL instruction. 


The valid special segment and gate descriptor types for the LSL instruction are pen in 


the following table: 


Invalid Invalid 
Available 80286 TSS Valid 
LDT Valid 
Busy 80286 TSS Valid 
80286 call gate Invalid 
80286/Intel486 task gate Invalid 
80286 trap gate Invalid 
80286 interrupt gate Invalid 
Invalid ' Invalid 
Available Intel486 TSS Valid 
Invalid Invalid 
Busy Intel486 TSS . Valid 
Intel486 call gate Invalid 
Invalid. Invalid 
Intel486 trap gate Invalid 
Intel486 interrupt gate invalid 


0 
1 
2 
3 
4 
5 
6 
7 
8 
9 
A 
B 
C 
D 
E 
F 


Flags Affected 


The ZF flag is set unless the selector is invisible or of the wrong type, in which case the 
_ ZF flag is cleared. 
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Protected Mode Exceptions 
#GP(0) for an illegal memory.operand effective address in the CS, DS, ES, FS, or GS 


segments; #SS(0) for an illegal address in the SS segment; #PF(fault- code) for a. page 
fault, #AC for unaligned memory reference if the current privilege level 1 is 3. 


Real Address Mode Exceptions 


Interrupt 6; the LSL instruction is not recognized in Real Address Mode. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real puauness Mode; PAC for unaligned meniory: reterence if or 
current: Pee evel is 3. : , ) 7 
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LTR —Load Task Register 


Opcode instruction Clocks Description 
OF 00/3 LTR r/m16 20/20 Load EA word into task register 
Description 


_ The LTR instruction loads the task register from the source register or memory location 
specified by the operand. The loaded TSS is marked busy. A task switch does not occur. 


The LTR instruction is used ony in operating system software; it is not used in applica- 
tion programs. 3 


Flags Affected 


None. 


Protected Mode Exceptions 

#GP(0) for an illegal memory iaperud effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #GP(0) if the current privi- 
lege level is not 0; #GP(selector) if the object named by the source selector is not a TSS 


or is already busy; #NP(selector) if the TSS is marked “not present”; Si ia 
for a page fault. 


Real Address Mode Exceptions 


Interrupt 6; the LTR instruction is not recognized in Real Address Mode. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode. 


Notes 


The operand-size attribute has no effect on this instruction. 
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MOV — Move Data 


Instruction Clocks Description 


MOV r/m8,ré 
MOV 1r/m16,r716. 
MOV 1/m32,r32 
MOV r8,r/m8 
MOV r16,r/m16 
MOV r32,r/m32 
MOV r/m16,Sreg* 
MOV Sreg,r/m16 
MOV AL, moffs8 
MOV AX, moffs16 
_MOV EAX,moffs32 
MOV moffs8,AL 
MOV moffs16,AX 
MOV moffs32,EAX 
‘MOV reg8,imm8& 
MOV reg16,imm16 
MOV reg32,imm32 
MOV r/m8,immé 
MOV r/m16,imm16 
MOV r/m32,imm32 


Move byte register to r/m byte 
Move word register to r/m word 
Move dword register to r/m dword 
Move r/m byte to byte register 
Move r/m word to word register 
Move r/m dword to dword register 
Move segment register to r/m word 
Move r/m word to segment register 
Move byte at (seg:offset) to AL 
Move word at (seg-offsef) to AX 
Move dword at (seg:offsef) to EAX 
Move AL to (seg-offsef) 

Move AX to (seg-offsef) 

Move EAX to (seg:offset) 

Move immediate byte to register 
Move immediate word to register 
Move immediate dword to register 
Move immediate byte to r/m byte 
Move immediate word to r/m word 
Move immediate dword to r/m dword 


omen) 


ck kk et et oh GD) OD es ss es ss ow 


NOTES: moffs8, moffs16, and moffs32 all consist of a simple offset relative to the segment base. The 8, 76, 
and 32 refer to the size of the data. The address-size attribute of the instruction determines the 
size of the offset, either 16 or 32 bits. 


—*In protected mode, use 16-bit operand size > pretix (a byte with the value 67H preceding. the 
Instruction. ) : | } 


Operation 
DEST < SRC: 


Description 
The MOV instruction copies the second operand to the first operand. 


If the destination operand is a segment register (DS, ES, SS, etc.), then data from a 
descriptor is also loaded into the register. The data for the register is obtained from the 
descriptor table entry for the selector given. A null selector (values 0000-0003) can be 
loaded into the DS and ES registers without causing an exception; however, use of the 
DS or ES register causes a #GP(0) exception, and no memory reference occurs. 


A MOV into SS instruction inhibits all interrupts until after the execution of the next 
instruction (which is presumably a MOV into ESP instruction). 


Loading a segment register under Protected Mode results in special checks and actions, 
as described in the following listing: 


IF SS is loaded; 
THEN 

IF selector is a THEN #GP(0); 
FI; 
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Selector index must be within its descriptor table limits else #GP(selector); 
Selector’s RPL must equal CPL else #GP(selector); 
AR byte must indicate a writable data segment else #GP(selector); 
DPL in the AR byte must equal CPL else #GP(selector); 
- Segment must be marked present else #SS(selector); 
Load SS with selector; 
Load SS with descriptor. 
Fl; 
IF DS, ES, FS or GS is loaded with non-null selector; 
THEN 
- Selector index must be within its descriptor table limits 
else #GP(selector); 
AR byte must indicate data or readable code segment else #GP(selector); 
IF data or nonconforming code segment 
THEN both the RPL and the CPL must be less than or equal to DPL in AR byte; 
ELSE #GP(selector); 
Fl; 
Segment must be marked present else #NP(selector), 
Load segment register with selector; 
Load segment register with descriptor; 
Fl; 
IF DS, ES, FS or GS is loaded with a null selector; 
THEN 
Load segment register with selector: 
Clear descriptor valid bit; 
Fl; 


Flags Affected 


None. 


Protected Mode Exceptions 


#GP, #SS, and #NP if a segment register is being loaded; otherwise,.#GP(0): if the 
destination is in a nonwritable segment; #GP(0) for an illegal memory operand effective 
address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS 
segment; #PF(fault- -code) for a page fault; #AC for unaligned memory reference if the 


current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 


from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault- code) for a page fault; #AC for 


unaligned memory reference if the current privilege level is 3. 
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“MOV—Move to/from Special Registers 


Instruction —** Clocks: a Description © 


OF 22 /r MOV CRO,r32 _ Move (register) to (contro! ragigian 
OF 20 /r MOV r32,CRO/CR2/CR3 7 5." Move (control register) to (register) 
OF 22 /r MOV CR2/CR3,r32 Move (register) to: (control register) 
OF 21 /r MOV r32,DRO-DR3 Move (debug register) to (register) 
OF 21 /r MOV r32,DR6/DR7 Move (debug register) to (register) — 
OF 23 /r MOV r32,DRO-DR3 Move (register) to (debug register) 
OF 23 /r MOV DR6/DR7,r32 : _. Move (register) to. (debug register) 
OF 24 /r MOV r32,TR4/TR5/TR6/TR7 | | — Move (test register) to (register) 

OF 26 /r MOV TR4/TR5/TR6/TR7 ,r32 Move (register) to (test register) 

OF 24/r MOV r32, TR3 a ~ * --* “Move (test register3) to (register) 
OF 26/r MOV TR3,r32 Move (registers) to (test register3) 


Operation 


DEST < SRC; 


Description 


The above forms of the MOV instruction store or load the following special EBC in 
or from a general purpose register: : 


e Control registers CRO, CR2, and CR3 
e Debug Registers DRO, DR1, DR2, DR3, DR6, and DR7 
e Test Registers TR3, TR4, TR5, TR6 and TR7 


Thirty-two bit operands are always used with these instructions, eateaicss of a 
operand-size attribute. | 


Flags Affected 

The OF, SF, ZF, AF. PF, and CF flags are undefined. - 
Protected Mode Exceptions . 

#GP(0) if the current privilege level is not 0. 

Real Address Mode Exceptions 

None. 

Virtual 8086 Mode pian dae 

#GP(0) if instruction execution is aera 
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Notes 


The instructions must be executed at privilege level 0 or in real-address mode; otherwise, 
a protection exception will be raised. 


The reg field within the ModR/M byte specifies which of the special registers in each 
category is involved. The two bits in the mod field are always 11. The r/m field specifies 
the general register involved. | 


Always set undefined or reserved bits to the value previously read. 
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MOVS/MOVSB/MOVSW/MOVSD — Move Data from sii to. 
String: 


Opcode Instruction | Description 


MOVS m8,m8 Move byte [(E)SI] to ES:[(E)DI] 

: MOVS m16,m16 ° ee re I -Move: word [(E)SI] to ES:[(E)DI] 

~ . MOVS m32,m32. «i. | re ae _ Move dword [(E)SI] to ES:[(E)DI] 
MOVSB —_ oo . Move byte DS:[(E)SI] to ES: [(E)DI] . 
MOVSW Move word DS:[(E)SI] to ES:[(E)D!] - 


MOVSD Move dword DS:[(E)SI] to ES:[(E)DI] 


Operation 


IF (instruction = MOVSD) OR (instruction has doubleword operands) 
THEN OperandSize < 32; 
ELSE OperandSize < 16; 
IF AddressSize = 16 
THEN use SI for source-index and DI for destination-index; 
ELSE (* AddressSize = 32 *) 
use ESI for source-index and EDI for destination-index; 
Fl; 
IF byte type of instruction 
THEN 
[destination-index] <— soirée: index]; (* byte assignment *) 
IF DF = 0 THEN IncDec < 1 ELSE IncDec < —1; FI; 
ELSE 
IF OperandSize = 16 
THEN 
[destination-index] < [Source-index]; (* word assignment *) 
IF DF = O THEN IncDec < 2 ELSE IncDec < —2; FI; 
ELSE (* OperandSize = 32 *) | 
[destination-index] < [source-index]; (* doubleword assignment *) 
IF DF = 0 THEN IncDec <- 4 ELSE IncDec < —4; FI; 
Fl; 
Fl; 
source-index < source-index + IncDec; 
destination-index < destination-index + IncDec; 


Description 


The MOVS instruction copies the byte or word at [(E)SI] to the byte or word at 
ES:[(E)DI]. The destination operand must be addressable from the ES register; no seg- 
ment override is possible for the destination. A segment override can be used for the 
source operand; the default is the DS register. 


The addresses of the source and destination are determined solely by the contents of the 
(E)SI and (E)DI registers. Load the correct index values into the (E)SI and (E)DI 
registers before executing the MOVS instruction. The MOVSB, MOVSW, and MOVSD 
instructions are synonyms for the byte, word, and doubleword MOVS instructions. 
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After the data is moved, both the (E)SI and (E)DI registers are advanced automatically. 
If the DF flag is 0 (the CLD instruction was executed), the registers are incremented; if 
the DF flag is 1 (the STD instruction was executed), the registers are decremented. The 
registers are incremented or. decremented by 1 if a byte was moved, 2 if a word was 
moved, or 4 if a doubleword was moved. 


The MOVS instruction can be preceded by the REP prefix for block movement of CX 
_bytes or words. Refer to the REP instruction for details of this operation. 


Flags Affected 


None. 


Protected Mode Exceptions 
#GP(0) if the result is in a nonwritable seenieae #GP(0) for an legal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 


the SS segment; #PF(fault- -code) for a page fault; #AC for BnavEns memory reference 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. | : 


Virtual 8086 Mode Exceptions — 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


26-215 


intel ; INSTRUCTION SET 


MOVSX— Move with Sign-Extend 


Instruction Clocks nds af Description | He | 
MOVSX r16,r/m8 — 33 - a Move byte to word with sign-extend 


MOVSX r32,r/m8 3/3 Move byte to dword, sign-extend 
MOVSX r32,r/m16 3/3 Move word to dword, sign-extend 


Operation 


DEST < SignExtend(SRC); 


Description 
The MOVSX instruction reads the contents of the effective address. or register as a byte 


or a word, sign-extends the value to the operand-size attribute of the instruction he or 
ae pu), and stores the result in ne destination res ere ee 


Fiage Affected — 


None. 


Protected Mode Exceptions 
#GP(0) for an illegal memory ery eaecive address in the CS, DS, ES, FS or Gs 


segments; #SS(0) for an illegal address in the SS segment; #PF (fault-code) for a page 
fault; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions © 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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MOVZX — Move with Zero-Extend 


Opcode Instruction - Clocks | Description 
OF B6/r . °° MOVZX r16,r/m8 3/3 Move byte to word with zero-extend 


OF B6 /r MOVZX r32,r/m8 — 3/3 Move byte to dword, zero-extend 
OF B7 /r MOVZX r32,r/m16 3/3 Move word to dword, zero-extend 


Operation 


DEST <— ZeroExtend(SRC): 


Description 
The MOVZX instruction reads the contents of the effective address or register as a byte 


or a word, zero extends the value to the operand-size attribute of the instruction (16 or 
32 bits), and stores the result in the destination register. 


Flags Affected 


None. 


Protected Mode Exceptions | 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 


segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any pan of the operand would lie outside of the effective address space 
from 0 to OFFFFH. | 


Virtual 8086 Mode Exceptions © 


Same exceptions as in Real Address Mode; #PF(fault- code) for a page fault; #AC for | 
unalienge memory penne if the current : privilege never! is a 
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MUL— Unsigned Multiplication of AL or AX 


Opcode ~ Instruction . Clocks Description 
F6 /4 » MULAL,r/m8& | -  13/18,13/18 Unsigned multiply (AX <— AL * r/m byte) 


F7 /4 MUL AX,r/m16—=~-——CO—C«*:8/26, 13/26 Unsigned multiply (DX:AX <— AX * r/m word)” 
F7 /4 MUL EAX,r/m32 13/42,13/42 Unsigned multiply nes EAX <— EAX* r/m .. 
i Be, al ke eee . . _ dword) . 


NOTES: The Intel486 processor uses an early-out multiply algorithm. The actual number of clocks 
depends on the position of the most significant bit in the optimizing multiplier . The optimization 
occurs for positive and negative multiplier values. Because of the early-out algorithm, clock counts 
given are minimum to maximum. To calculate the actual clocks, use the following formula: 

Actual clock = if m <> 0 then max(ceiling(log, | m |), 3) + 10 clocks; 
Actual clock = if m = 0 then 13 clocks 
where m is the multiplier. 


Operation _ 


IF byte-size operation 
THEN AX < AL * r/m8& 
ELSE (* word or doubleword operation *) 
IF OperandSize = 16 
THEN DX:AX <— AX * 1/m16 
ELSE (* OperandSize = 32 *) 
EDX:EAX < EAX * r/m32 
. El i 
Fl; 


Description 
The MUL instruction performs unsigned multiplication. Its actions open on the size of 
its operand, as follows: | | , 


e A byte operand is multiplied by the AL value; the result is left in the AX register. 
The CF and OF flags are cleared if the AH value is 0; otherwise, they are set. 


“e A word operand is multiplied by the AX value; the result is left in the DX:AX 
register pair. The DX register contains the high-order 16 bits of the product. The CF 
and OF flags are cleared if the DX value is 0; otherwise, they are set. 


e A doubleword operand is multiplied by the EAX value and the result is left in the 
~EDX:EAX register. The EDX register contains the high-order 32 bits of the product. 
The CF and OF flags are cleared if the EDX value is 0; otherwise, they are set. 


Flags Affected 


The OF and CF flags are cleared if the upper half of the result is 0; otherwise they are 
set; the SF, ZF, AF, and PF flags are undefined. 
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Protected Mode Exceptions 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 


segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions: | 


Interrupt 13 if any part of the operand would lie outside of the effective address spose 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault- code) for a page fault; #AC for 
unaligned memory ECMET EMR if the current privilege level is3.. 
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NEG —Two’s Complement Negation 


Opcode Instruction Clocks | _. Description 


F6 /3 ‘NEG r/m8 1/3. . ace Two’s complement negate r/m byte 
F7 3 NEG rmié | 38. . Two’s complement negate r/m word » 
F7 /3 NEG r/m32 1/3 Two’s complement negate r/m dword 


Operation 


IF r/m = 0 THEN CF — 0 ELSE CF < 1: Fl; 
/m<—-—rm 


Description 

The NEG instruction replaces the value of a register Or memory operand with its two’s 
complement. The operand is subtracted from zero, and the result is placed in the 

operand. | 


The CF flag is set, unless the operand is zero, in which case the CF flag is cleared. 


Flags Affected 


The CF flag is set unless the operand is zero, in which case the CF flag is cleared; the 
OF, SF, ZF, and PF flags are set according to the result. 


Protected Mode Exceptions 
#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 


the SS segment; #PF(fault- code) for a page fault; #AC for unalence memory reference 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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NOP — No Operation 


Opcode Instruction Clocks Description 7 
90 NOP 1 . No operation 


Description 


The NOP instruction performs no operation. The NOP instruction is a one-byte instruc- 
tion that takes up space but affects none of the machine context except the (E)IP 
register. 


The NOP instruction is an alias mnemonic for the XCHG (E)AX, (E)AX instruction. 


Flags Affected 

None. 

Protected Mode Exceptions 
None. 

Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


None. 
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NOT — One’s Complement Negation 


Instruction Clocks Description 


NOT r/m8 1/3 - Reverse each bit of r/m byte” 
NOT r/m16 1/3 Reverse each bit of 4m word 
NOT r/m32 1/3 Reverse each bit of r/m dword 


Operation 


r/m a NOT r/m; 


Description 


The NOT instruction inverts the operand; every 1 becomes a 0, and vice versa. 


Flags Affected 


None. 


Protected Mode Exceptions 
#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 


the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference — 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3.. 
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OR — Logical Inclusive OR 


Instruction Clocks Description 


OR AL,imm8 OR immediate byte to AL 

OR AX,imm16 OR immediate word to AX 

OR EAX,imm32 : OR immediate dword to EAX 

OR r/m8,imm8s OR immediate byte to r/m byte 

OR r/m16,imm16 OR immediate word to r/m word 

OR r/m32,imm32 OR immediate dword to r/m dword 

OR r/m16,imm8s | OR sign-extended immediate byte with r/m word 


OR r/m32,imm8 re oe immediate byte with r/m 
wor 

OR 1/m8,r8 OR byte register to r/m byte 

OR r/m16,r16 OR word register to r/m word 

OR 1/m32,r32 OR dword register to r/m dword 

OR r8,r/m8 OR byte register to r/m byte 

OR r16,r/m16 OR word register to r/m word 

OR 1£32,r/mM32 OR dword register to r/m dword 


Operation 


DEST < DEST OR SRC; 
CF < 0; 
OF <— 0 


Description 


The OR instruction computes the inclusive OR of its two operands and places the result 
in the first operand. Each bit of the result is 0 if both corresponding bits of the operands 
are 0; otherwise, each bit is 1. 


Flags Affected 


The OF and CF flags are cleared; the SF, ZF, and PF flags are set according to the 
result; the AF flag is undefined. 


Protected Mode Exceptions 


#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. | 
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Virtual 8086 Mode Exceptions 


Same exceptions as in real-address mode; #PF(fault- -code) for a page fault; #AC for 
unaligned memory eee! if the current privilege level is 3. 
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OUT — Output to Port 


- Instruction = Clocks » | Description: 


OUT imm8,AL 16,pm=11*/ Output byte AL to immediate port number 
31**, VM=29 

OUT imm8,AX 16,pm=11*/ Output word AL to immediate port number 
31**, VM=29 

OUT immé8,EAX 16,0m= 11*/ Output dword AL to immediate port number 
31**,VM=29 

OUT DX,AL 16,om= 10*/ Output byte AL to port number in DX 

30**, VM =29 

OUT DX,AX 16,om= 10*/ Output word AL to port number in DX 
30**,VM = 29 

OUT DX,EAX 16,pm= 10*/ Output dword AL to port number in DX 
30**,VM=29 


NOTES: *If CPL < IOPL 
**If CPL > IOPL 


Operation 


IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL)) 

THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *) 
IF NOT 1!-O-Permission (DEST, width(DEST)) 
THEN #GP(0); 
FI; 

Fl; 

[DEST] < SRC; (* I/O address space used *) 


Description 


The OUT instruction transfers a data byte or data word from the register (AL, AX, or 
EAX) given as the second operand to the output port numbered by the first operand. 
Output to any port from 0 to 65535 is performed by placing the port number in the DX - 
register and then using an OUT instruction with the DX register as the first operand. If 
the instruction contains an eight-bit port ID, that value is zero-extended to 16 bits. 


Flags Affected 


None. 


Protected Mode Exceptions 


#GP(0) if the current privilege level is higher (has less privilege) than the I/O privilege 
level and any of the corresponding I/O permission bits in the TSS equals 1. 


Real Address Mode Exceptions 
None. 
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Virtual 8086 Mode Exceptions 


#GP(0) fault if any of the corresponding I/O permission bits in the TSS equals 1. _ 
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OUTS/OUTSB/OUTSW/OUTSD — Output String to Port 


Instruction | Clocks | < Description 


OUTS DX,r/m8& 17,pm=10*/ Output byte. [(E)S!] to port in DX 
32** VM =30 
OUTS DX;r/m16 17,pm= 10*/ Output word [(E)SI] to port in DX 
| 32**, VM =30 
OUTS DX,r/m32 17,pm= 10*/ Output dword [(E)SI] to port in DX 


32** VM=30 
OUTSB 17,pm= 10*/ Output byte DS:[(E)SI] to port in DX 
32** VM=30 
OUTSW 17,pm= 10*/ ; Output word DS:[(E)SI] to port in DX 
| 32** VM =30 i | | 
OUTSD_ 17,pm= 10*/ | Output dword DS:[(E)SI] to port in DX 
32**, VM=30 fee g 


NOTES: *If CPL < IOPL 
**If CPL > IOPL 


Operation 


IF AddressSize = 16 | 

THEN use Sl for source-index; - 

ELSE (* AddressSize = 32 *) 
use ESI for source-index; 

Fl: 


IF (PE = 1) AND ((VM = 1) OR (CPL > IOPL)) 
THEN (* Virtual 8086 mode, or protected mode with CPL > IOPL *) 
IF NOT I-O-Permission (DEST, width(DEST)) 
THEN #GP(0); 
Fl; 
IF byte type of instruction 
THEN | 
[DX] <— [source-index]; (* Write byte at DX I/O address *) 
IF DF = 0 THEN IncDec < 1 ELSE IncDec < —1; FI; 
Fl: 
IF OperandSize = 16 
THEN | 1. fe . tase. eo 8 
[DX] < [source-index]; (* Write word at DX I/O address *) 
IF DF = 0 THEN IncDec <.2 ELSE IncDec.<- —2; Fl; 
Fl; a ae 
IF OperandSize = 32 
THEN 
[DX] <— [source-index]; (* Write dword at DX I/O address *) 
IF DF = 0 THEN IncDec < 4 ELSE IncDec < —4; FI; 
Fl; 
source-index < source-index + IncDec; 
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Description 


The OUTS instruction transfers data from the memory byte, word, or doubleword at the 
source-index register to the output port addressed by the DX register. If the address-size 
attribute for this instruction is 16 bits, the SI register is used for the source-index regis- 
ter; otherwise, the address-size attribute is 32 bits, and the ESI register is used for the 
source-index peptster: 


The OUTS instruction does not allow specification of the port number as an immediate 
value. The port must be addressed through the DX register value. Load the correct ans , 
into the DX register betore executing the OUTS instruction. 


The address of the source data is determined by the contents of source-index register. 
Load the correct index value into the SI or ESI register before executing the OUTS 
instruction. 


After the transfer, source-index register is advanced automatically. If the DF flag is 0 
(the CLD instruction was executed), the source-index register is incremented; if the DF 
flag is 1 (the STD instruction was executed), it is decremented. The amount of the 
increment or decrement is 1 if a byte is output, 2 if a word is output, ¢ or if a doubleword 
is output. : 


The OUTSB, OUTSW, and OUTSD instructions are synonyms for the byte, word, and 
doubleword OUTS instructions. The OUTS instruction can be preceded by the REP 
prefix for block output of CX bytes or words. Refer to the REP instruction for details on 
this operation. a | : | 


Flags Affected 


None. 


Protected Mode Exceptions 


#GP(0) if the current privilege level is greater than the I/O privilege level and any of the 
corresponding I/O permission bits in TSS equals 1; #GP(0) for an illegal memory oper- 
and effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 
address in the SS segment; #PF(fault- code) for a page fault; #AC for ened mem- 
ory reference if the current privilege level is 3. a 


Real Address Mode Exceptions nae 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. oe oe | a 
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Virtual 8086 Mode Exceptions 
#GP(0) fault if any of the corresponding I/O permission bits in TSS equals 1; #PF(fault- 


code) for a page fault; #AC for unaligned memory reference if the current privilege 
level is 3. 
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POP — Pop a Word from the Stack 


Opcode. | ‘Instruction’: © °°: CSS YF, 8 es Description ° Bee Se eh. HT Oe = 
POP m32 
POP r16 
POP r32 


- +. Pop top of stack into memory word | | 
Pop top of stack into memory dword . - 
Pop top of stack into word register 
Pop top of stack into dword register 
Pop top of stack into DS 
Pop top of stack into ES 
Pop top of stack into SS 
Pop top of stack into FS 
Pop top of stack into GS 


POP DS 
POP ES 
POP SS 
POP FS 
POP GS 


WOWWWWAAAD MD 


_ Operation 


IF StackAddrSize = 16 


THEN 
IF OperandSize = 16 
THEN 
DEST < (SS:SP); (* copy a word " | 
SP < SP + 2; 


ELSE (* OperandSize = 32 *) 
DEST < (SS:SP); (* copy a dword *) 
SP <— SP + 4; 

Fl; 


ELSE (* StackAddrSize = 32 * ) 
IF OperandSize = 16 
THEN 
DEST < (SS:ESP); (* copy a word *) 
ESP — ESP + 2; 
ELSE (* OperandSize = 32 *) 
DEST < (SS:ESP); (* copy a dword *) 
ESP < ESP + 4; | 
Fl; 
Fl; 


Description 


The POP instruction replaces the previous contents of the memory, the register, or the 
segment register operand with the word on the top of the Intel486 processor stack, 
addressed by SS:SP (address-size attribute of 16 bits) or SS:ESP (address-size attribute 
of 32 bits). The stack pointer SP is incremented by 2 for an operand-size of 16 bits or by 
4 for an operand-size of 32 bits. It then points to the new top of stack. © 


The POP CS instruction is not an Intel486 processor instruction. Popping from the stack 
into the CS register is oe with a RET instruction. 
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If the destination operand is a segment register (DS, ES, FS, GS, or SS), the value 
popped must be a selector. In protected mode, loading the selector initiates automatic 
loading of the descriptor information associated with that selector into the hidden part 
of the segment register; loading also initiates validation of both the selector and the 
descriptor information. 


A null value (0000-0003) may be popped into the DS, ES, FS, or GS register without 
causing a protection exception. An attempt to reference a segment whose corresponding 
segment register is loaded with a null value causes a #GP(0) exception. No oe 
reference occurs. The saved value of the segment register is null. | 


A POP SS instruction inhibits all interrupts, including NMI, until after execution of the 
next instruction. This allows sequential execution of POP SS and POP eSP instructions 
without danger of having an invalid stack during an interrupt. However, use of the LSS 
instruction is the preferred method of loading the SS and eSP registers. 


A POP-to-memory instruction, which uses the stack pointer (ESP) as a base register, 
references memory after the POP. The base used is the value of the ESP after the 
instruction executes. 


Loading a segment register while in protected naede results in special checks and actions, 
as described in the following listing: . 


IF SS is loaded: 
IF selector is null THEN #GP(0); 
Selector index must be within its descriptor table limits ELSE . 
#GP(selector): 
Selector’s RPL must equal CPL ELSE #GP(selector); © 
AR byte must indicate a writable data segment ELSE #GP(selector); 
DPL in the AR byte must equal CPL ELSE #GP(selector); 
Segment must be marked present ELSE #SS(selector); 
Load SS register with selector; 
Load SS register with descriptor; 


IF DS, ES, FS or GS is loaded with non-null selector: 

AR byte must indicate data or readable code segment ELSE 
#GP(selector); 

IF data or nonconforming code 

THEN both the RPL and the CPL must be less than or equal to DPL in 
AR byte | 

ELSE #GP(selector); 

Fl; 

Segment must be marked present ELSE #NP(selector); 

Load segment register with selector; 

Load segment register with descriptor; 


IF DS, ES, FS, or GS is loaded with a null selector: 


Load segment register with selector 
Clear valid bit in invisible portion of register 
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Flags Affected 

None. 

Protected Mode Exceptions 

#GP, #SS, and #NP. if a segment register is being loaded; #SS(0) if the current top of 
stack is not within the stack segment; #GP(0) if the result is in.a nonwritable segment; 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 


segments; #SS(0) for an illegal address in the SS segment; #PF(fault- code) for a page 
aut Bins for ee see reference if the current privilege level is 3. 


| Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of ihe effective address space 
from : to OFFFFH. | 


Virtual 8086 Mode Exceptions 


Same exceptions as in real-address mode; #PF(fault- code) for a page fault; ie for 
unaligned memory reference if the current privilege level is 3. _ | 


Notes 


Back-to-back’ PUSH/POP instruction sequences are allowed without incurring an addi 
tional clock. . 


SSB bit will determine. the size ‘of. Stack vere Size 


_ Pop ESP instructions increments the stack pointér (ESP) b before data at Be old oe of 
stack is written into the destination. | 
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POPA/POPAD — Pop all General Registers 


Instruction Clocks Description 


POPA 9 Pop DI, SI, BP, BX, DX, CX, and AX 
9 Pop EDI, ESI, EBP, EDX, ECX, and EAX. 


Operation 


IF OperandSize = 16 (* instruction = POPA *) 
THEN | 
DI —Pop(); 
SI — Pop(); 
BP < Pop(); 
increment SP by 2 (* skip next 2 bytes of stack *) 
BX < Pop(); 
DX < Pop(); 
CX <— Pop(); 
AX <— Pop(); 
ELSE (* OperandSize = 32, instruction = POPAD *) 
EDI < Pop(); 
ESI — Pop(); 
EBP < Pop(); 
increment SP by 4 (* skip next 4 bytes of stack *) 
EBX < Pop(); 
EDX < Pop(); 
ECX < Pop(); 
EAX <— Pop(); 
Fl; 


Description 


The POPA instruction pops the eight 16-bit general registers. However, the SP value is 
discarded instead of loaded into the SP register. The POPA instruction reverses a pre- 
vious PUSHA instruction, restoring the general registers to their values before the 
PUSHA instruction was executed. The first register popped is the DI register. 


The POPAD instruction pops the eight 32-bit general registers. The ESP value is dis- 
carded instead of loaded into the ESP register. The POPAD instruction reverses the 
previous PUSHAD instruction, restoring the general registers to their values before the 
PUSHAD instruction was executed. The first register popped is the EDI register. 


Flags Affected 


None. 
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Protected Mode Exceptions 


#SS(0) if the starting or ane stack address is not within the stack seamen 
#PF(fault- of for a page fault. | 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in real-address mode; #PF(fault-code) for a page fault. 
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~-POPF/POPFD — Pop Stack into FLAGS or EFLAGS Register — 


Opcode Instruction ‘Clocks: Description 


9D POPF ce at 9;pm=6 Pop top of stack FLAGS. — - 
9D POPFD ae. - 9,pm=6 Pop top of stack into EFLAGS 


Operation 


Flags <— Pop(); 


Description 

The POPF and POPFD instructions pop the word or doubleword on the top of the stack 
and store the value in the flags register. If the operand- -size attribute of the instruction is 
16 bits, then a word is popped and the value is stored in the FLAGS register. If the 


operand-size attribute 1s 32 bits, then a doubleword is popped and the value is stored in 
the EFLAGS register. 


Refer to Chapter 2 and Chapter 4 for information about the FLAGS and apace 
registers. Note that bits 16 and 17 of the EFLAGS register, called the VM and RF flags, 

respectively, are not affected by the POPF or POPFD instruction. 

The I/O privilege level is altered only when executing at privilege level 0. The interrupt 
flag is altered only when executing at a level at least as privileged .as the I/O privilege 
level. (Real-address mode is equivalent to privilege lével 0.) If a POPF instruction is 
executed with insufficient privilege, an exception does not occur, but the Privileged. bits 
do not change. 

Flags Affected 


All flags except the VM and RF flags. 


Protected Mode Exceptions 


#SS(0) if the top of stack is not within the stack segment. 


Real Address Mode Exceptions 


Interrupt 13 if any eat of the epoane would lie outside of the effective address space 
from 0 to OFFFFH. . | i as | | | 


Virtual 8086 Mode en 7 


#GP(0) fault if the I/O privilege level is less than 3, to permit emulation. 
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PUSH — Push Operand onto the Stack 


Instruction Description 


PUSH r/m16 
PUSH r/m32 
PUSH r16 
PUSH 132 
PUSH imm8s 
PUSH imm16 
PUSH imm32 
PUSH CS 
PUSH SS 
PUSH DS 
PUSH ES 
PUSH FS 

- PUSH GS 


Push memory word | 
Push memory dword 
Push register word 
Push register dword 
Push immediate byte 
Push immediate word 
Push immediate dword 
Push CS 

Push SS 

Push DS 

Push ES 

Push FS 

Push GS 


OWWOoOWW-A aA aA as AA 


Operation | 


IF StackAddrSize = 16 


THEN 
IF OperandSize = 16 THEN 
SP<—SP-2; | | 
(SS:SP) <— (SOURCE); (* word assignment *) 
ELSE 
SP <— SP -— 4; 


(SS:SP) — (SOURCE); (* dword assignment *) 


ELSE (* StackAddrSize = 32 *) 
IF OperandSize = 16 


THEN 

ESP <— ESP -— 2; 

(SS:ESP) — (SOURCE); (* word assignment *) 
ELSE 

ESP <— ESP — 4; 

(SS:ESP) <— (SOURCE); (* dword assignment *) 
Fl; 


FI; 


Description 


The PUSH instruction decrements the stack pointer by 2 if the operand-size attribute of 
the instruction is 16 bits; otherwise, it decrements the stack pointer by 4. The PUSH 
instruction then places the operand on the new top of stack, which is pointed to by the 
stack pointer. | 


The PUSH ESP instruction pushes the value of the ESP register as it existed before the 
instruction. This differs from the 8086, where the PUSH SP instruction pushes the new 


value (decremented by 2). 
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Likewise, a PUSH-from-memory instruction, which uses the stack pointer (ESP) as a 
base register, references memory before the PUSH. The base used is the value of the 
ESP before the instruction executes. 


Flags Affected 


None. 


Protected Mode Exceptions 
#SS(0) if the new value of the SP or ESP register is outside the stack segment limit; 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 


segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


None; if the SP or ESP register is 1, the processor shuts down due to a lack of stack 
space. . | 


Virtual 8086 Mode Exceptions 


Same exceptions as in real-address mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Notes 


When used with an operand in memory, the PUSH instruction takes longer to execute 
than a two-instruction sequence which moves the operand through a register. 


Back-to-back PUSH/POP instruction sequences are allowed without incurring an addi- 
tional clock. 


Selective pushes write only the top of the stack. 
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PUSHA/PUSHAD — Push all General Registers 


Opcous Instruction Clocks | Description 
PUSHA 11 Push AX, CX, DX, BX, original SP, BP, SI, and DI 


PUSHAD > 11 Push EAX, ECX, EDX, EBX, orginal ESP, EBP, . 
ESI, and EDI 


Operation — 


IF OperandSize = = (16 e PUSHA instruction *) 

THEN | 

_ Temp < (SP); 
~Push(AX);, * | 

Push(CX); 

Push(DX); 

Push(BX); 

Push(Temp); 

-Push(BP); 

Push(Sl); 

Push(Dl); 

ELSE (* Operandsize = = 32, PUSHAD instruction “)° 

Temp < (ESP); 

.,Push(EAX);. 

Push(ECX); 
Push(EDX); 
Push(EBX); 
Push(Temp); 
Push(EBP); 

( 
( 


fag fs re 


‘Push(ESl); 
— Push(EDI); 
Et. 


Description 


The PUSHA and PUSHAD instructions save the 16-bit or 32-bit general registers, 
respectively, on the Intel486 processor stack. The PUSHA instruction decrements the 
stack pointer (SP) by 16 to hold the eight word values. The PUSHAD instruction decre- 
ments the stack pointer (ESP) by 32 to hold the eight doubleword values. Because the 
registers are pushed onto the stack in the order in which they were given, they appear in 
the 16 or 32 new stack bytes in reverse order. The last register pushed is the DI or EDI 
register. | 


Flags Affected 


None. 
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Protected Mode Exceptions 


#SS(0) if the starting or ending stack address is outside the stack segment limit; 
#PF(fault-code) for a page fault. 


Real Address Mode Exceptions 
Before executing the PUSHA or PUSHAD instruction, the Intel486 DX processor shuts 


down if the SP or ESP register equals 1, 3, or 5; if the SP or ESP Bearer pluce 7, 9, 11, 
13, or 15, exception 13 occurs. 


Virtual 8086 Mode Exceptions | 


Same exceptions as in real-address mode; #PF(fault-code) for a page fault. 
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PUSHF/PUSHFD — Push Flags Register onto the Stack —— 


» os. Instruction...» .. -»Clocks ©. +. ; °' . . Description 


PUSHF 4,pm=8 Push FLAGS 
PUSHFD 4,pm=3 Push EFLAGS 


Operation a 
IF OperandSize = 32 ee 
THEN push(EFLAGS); 


ELSE push(FLAGS); 
Fl; 


Description’. 0 6 es 
The PUSHF instruction decrements the stack pointer by 2 and copies the FLAGS reg- 
ister to the new top of stack; the PUSHFD instruction decrements the stack pointer by 4, 


and the EFLAGS register is copied to the new top of stack which is pointed to by 
SS:ESP. Refer to Chapter 2 and to Chapter 4 for information on the EFLAGS register. 


Flags Affected 


None. 


Protected Mode Exceptions 


#SS(0) if the new value of the ESP register is outside the stack segment boundaries. 


Real Address Mode Exceptions 


None; the Intel486 processor shuts down due to a lack of stack space. 


Virtual 8086 Mode Exceptions 


#GP(0) fault if the I/O privilege level is less than 3, to permit emulation. 
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RCL/RCR/ROL/ROR — Rotate 


Instruction 


RCL r/m8,1 

RCL r/m8,CL 
RCL r/m8,imm8 
RCL r/m16,1 

RCL r/m16,CL 
RCL r/m16,imm8 
RCL r/m32,1 

RCL r/m32,CL 
RCL r/m32,imm8 
RCR r/m8,1 

RCR r/m8,CL 
RCR r/m8,imm8s 
RCR r/m16,1 
RCR r/m16,CL 
RCR r/m16,imm8 
RCR r/m32,1 
RCR r/m32,CL 
RCR r/m32,imm8s 
ROL r/m8,1 

ROL r/m8,CL 
ROL r/m8,imm8& 
ROL r/m16,1 
ROL r/m16,CL 
ROL r/m16,imm8 
ROL r/m32,1 
ROL r/m32,CL 
ROL r/m32,imm8 
ROR r/m8,1 

ROR r/m8,CL 
ROR r/m8&,imm8s 
ROR r/m16,1 
ROR r/m16,CL 
ROR r/m16,imm8s 
ROR r/m32,1 
ROR 1/m32,CL 


C1 /1 ib - ROR r/m32,imm8 


Operation 


(* ROL - Rotate Left *) 

temp <— COUNT; 

WHILE (temp <> 0) 

DO _ 
tmpcf <— high-order bit of (r/m) 
r/7m<— r/m* 2 + (tmpcf); 
temp < temp — 1; 

ODS 

IF COUNT = 1 

THEN 
IF high-order bit of r/m <> CF 
THEN OF < 1; 
ELSE OF < 0; 
Fl; 

ELSE OF < undefined; 

Fl; 


Clocks 


3/4 
8-30/9-31 
8-30/9-31 
3/4 
8-30/9-31 
8-30/9-31 


8-30/9-31 
3/4 
8-30/9-31 
8-30/9-31 
3/4 
3/4 
2/4 
3/4 
3/4 
2/4 
3/4 
3/4 
2/4 
3/4 
3/4 
2/4 
3/4 


3/4 


2/4 
3/4 
3/4 
2/4 
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Rotate 9 bits (CF,r/m byte) left once 

Rotate 9 bits (CF,r/m byte) left CL times 
Rotate 9 bits (CF,r/m byte) left imm8 times 
Rotate 17 bits (CF,r/m word) left once 

Rotate 17 bits (CF,r/m word) left CL times 
Rotate 17 bits (CF,r/m word) left imm8 times 
Rotate 33 bits (CF,r/m dword) left once 
Rotate 33 bits (CF,r/m dword) left CL times 
Rotate 33 bits (CF,r/m dword) left imm8 times 
Rotate 9 bits (CF,’/m byte) right once 

Rotate 9 bits (CF,r/m byte) right CL times 
Rotate 9 bits (CF,r/m byte) right imm8 times 
Rotate 17 bits (CF,r/m word) right once 
Rotate 17 bits (CF,r/m word) right CL times 
Rotate 17 bits (CF,r/m word) right imm8 times 
Rotate 33 bits (CF,r/m dword) right once 
Rotate 33 bits (CF,r/m dword) right CL times 
Rotate 33 bits (CF,r/m dword) right imm8 times 
Rotate 8 bits r/m byte left once 

Rotate 8 bits r/m byte left CL times 

Rotate 8 bits r/m byte left imm8 times. | 
Rotate 16 bits r/m word left once 

Rotate 16 bits r/m word left CL times _ 
Rotate 16 bits r/m word left imm& times 


- Rotate 32 bits r/m dword left once 


Rotate 32 bits r/m dword left CL times 
Rotate 32 bits r/m dword left immé times 
Rotate 8 bits r/m byte right once 

Rotate 8 bits r/m byte right CL times 
Rotate 8 bits r/m word right imm8 times 


Rotate 16 bits r/m word right once. 
‘ Rotate 16 bits r/m word right CL times 


Rotate 16 bits r/m word right imm8 times _ - 
Rotate 32 bits r/m dword right once 
Rotate 32 bits r/m dword right CL times 
Rotate 32 bits r/m dword right imm8 times 
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(* ROR - Rotate Right *) 
temp <- COUNT; 
WHILE (temp <> 0) 
DO 
— tmpcf — low- order bit of (/m): 
r/m <— r/m/ 2 + (tmpcf * pwiathieim)y, 
temp <— ~ temp =; : : 
DO; 
IF COUNT = 1. 
THEN 
IF (high-order bit of ol) <> (bit next to high-order bit of de 
THEN OF < 1; | 
ELSE OF < 0; 
sees 
ELSE OF <— undefined; 
Fl; 


Description —__ 


Each rotate instruction shifts the bits of the register or memory operand given. The left 
rotate instructions shift all the: bits upward, except for the top bit, which is returned to 
the bottom. The right rotate instructions do the reverse: the bits shift downward until the 
bottom bit arrives at the top. 7 


For the RCL and RCR instructions, the CF flag is part of the rotated quantity. The RCL 
instruction shifts the CF flag into the bottom bit and shifts the top bit into the CF flag; 
the RCR instruction shifts the CF flag into the top bit and shifts the bottom bit into the 
CF flag. For the ROL and ROR instructions, the original value of the CF flag is not a 
part of the result, but the CF flag receives a copy of the bit that was shifted from one end 
to the other. 


The rotate is repeated the number of times indicated by the second operand, which is 
either an immediate number or the contents of the CL register. To reduce the maximum 
instruction execution time, the Intel486 processor does not allow rotation counts greater 
than 31. If a rotation count greater than 31 is attempted, only the bottom five bits of the © 
rotation are used. The 8086 does not mask rotation counts. The Intel486 Processor: in 
Virtual 8086 Mode does mask rotation counts. | : 


The OF flag is defined only for the single-rotate forms of the instructions (second oper- 
and is a 1). It is undefined in all other cases. For left shifts/rotates, the CF bit after the 
shift is XORed with the high-order result bit. For right shifts/rotates, the high-order two 
bits of the result are XORed to get the OF flag. 7 


Flags Affected 
The OF flag is affected ealy for single-bit rotates; the OF flag i is undefined for multi-bit 


rotates; the CF flag contains the value of the bit shifted into it; the SF, ZF, AF, and PF 
flags are not affected. | 
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Protected Mode. Exceptions 
#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 


the SS segment; #PF(fault- code) for a page fault; #AC fs unaligned memory reference 
if the current privilege level is 3. 


‘Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


_ Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 3 


26-243 


intel. 


INSTRUCTION SET 


REP/REPE/REPZ/REPNE/REPNZ— Repeat Following — 


Opcode ~ 


F3 6C 


Instruction 
REP INS '‘r/m8, DX 


REP INS r/m716,DX 


REP INS 1/m32,DX 


REP MOVS m8,m8& 
REP MOVS m16,m16 
REP MOVS m32,m32 


_ REP OUTS DX,1/m8- 


REP OUTS DxX,r/m16 


REP OUTS DXx,i/m32 


REP LODS AL 

REP LODS AX 

REP LODS EAX 

REP STOS m8 

REP STOS m16 

REP STOS m32 

REPE CMPS m8,m8 
REPE CMPS m16,m16 
REPE CMPS m32,m32 
REPE SCAS m8 

REPE SCAS m16. 
REPE SCAS m32 
REPNE CMPS m8,m8 


REPNE CMPS m16,m16 
REPNE CMPS m32,m32 


REPNE SCAS m8 
REPNE SCAS m16 
REPNE SCAS m32 


Clocks 
16+8(E)CX, _ 
pm=10+8( E}CX"/ 
30 + B(E)OX" 


VM =29 + B(E)CX 
5*3 13%4 19 4.3(E)CX*5 
5*3 13*4 19 4 3(E)CX*S 


—-5*3 13*4 424 3(E)CX*S 


17 +5(E)CX, . 
pm=11+5( (E)CX*"/ 


 8145(E)CX* 


vm = 0 rCLE}OX 
17 + 5(E)CX, 
pm=11+5( (E)CX*"/ 
31 +5(E)CX* 

vm = 30 + 5(E)CX 
17 +5(E)CX, 
pm=11+5( E)CX*"/ 
31 +5(E)CX* 

vm = 30 + 5(E)CX 
oe )Cx*6 


5x2, 7 +7(E)CX*® 
5*3.7 4 7(E)CX*® 
5*3 7 +7(E)CX*6 
5*3 7 + 5(E)CX*® 
5*3 7 + 5(E)CX*® 
5*3 7 +5(E)CX*® 
5*3,7 + 7(E)CX*® 
5*3 7 +7(E)CX*® 
5*3 7 +7(E)CX*6 
5*3 7 +5(E)CX*® 
5*5 7 +5(E)CX*6 


5*3.7 +5(E)CX*S 


_ Operation 


Descantion 
Input (E)CX bytes from port DX into ES:[(E)DI] 


Input (E)CX words from port DX into ES:[(E)DI] 


Input (E)CX dwords from pot DX into ES:[(E)DI] 


Move (E)CX bytes from [(E)SI] to ES: (EDI) 
Move (E)CX words from [(E)SI] to ES:[(E)DI] 
Move (E)CX dwords from [(E)SI] to ES:[(E)DI] 
Output (E)CX bytes from [(E)SI] to port DX 


Output (E)CX words from [(E)SI] to port DX 


Output (E)CX dwords from [(E)SI] to port DX 


Load (E)CX bytes from [(E)S!] to AL 
Load (E)CX words from [(E)SI] to AX 
Load (E)CX dwords from [(E)S!] to EAX 
Fill (E)CX bytes at ES:[(E)DI] with AL 

Fill (E)CX words at ES:[(E)DI] with AX 
Fill (E)CX dwords at ES:[(E)DI] with EAX 
Find nonmatching bytes in ES:[(E)D!] and [(E)S1] 
Find nonmatching words in ES:[(E)DI] and [(E)Sl] 


Find nonmatching dwords in ES:[(E)DI] and [(E)S]] 


Find non-AL byte starting at ES:[(E)DI} 

Find non-AX word starting at ES:[(E)DI] 

Find non-EAX dword starting at ES:[(E)DI] 

Find matching bytes in ES:[(E)DI] and [(E)SI] 
Find matching words in ES:[{(E)DI] and [(E)SI] 
Find matching dwords in ES:[(E)DI] and [(E)SI!] 
Find AL, starting at ES:[(E)DI!] 

Find AX, starting at ES:[(E)DI] 

Find EAX, starting at ES:[(E)DI] 


NOTES: *1 If CPL < IOPL 
*2 If CPL > IOPL 
*3 (E) CX=0 
*4 (E) CX =1 
*5 (E) CX > 1 
*6 (E) CX > 0 


Operation 


IF AddressSize = 16 

THEN use CX for CountReg; 

ELSE (* AddressSize = 32 *) use ECX for CountReg; 
Fl; 


26-244 


intel. INSTRUCTION SET 


WHILE CountReg <>.0 


DO. 


service pending interrupts (if any); 


perform primitive string instruction; 


CountReg <— CountReg — 1; 


IF primitive operation is CMPSB, CMPSW, SCASB, or SCASW 


THEN 


IF (instruction is REP/REPE/REPZ) AND (ZF =0) 
THEN exit WHILE loop 
ELSE 
IF (instruction is REPNZ or REPNE) AND (ZF = 1) 
THEN exit WHILE loop; 
Fl; 
Fl; 


Fl: 
OD; 


Description 


The REP, REPE (repeat while equal), and REPNE (repeat while not equal) prefixes 
are applied to string operation. Each prefix causes the string instruction that follows to 
be repeated the number of times indicated in the count register or (for the REPE and 
REPNE prefixes) until the indicated condition in the ZF flag is no longer met. 


Synonymous forms of the REPE and REPNE prefixes are the REPZ and REPNZ pre- 


_ fixes, respectively. 


The REP prefixes apply only to one string instruction at a time. To repeat a block of 
instructions, use the LOOP instruction or another looping construct. 7 


The precise action for each iteration is as follows: 


NO nO BR W 


. If the address-size attribute is 16 bits, use the CX register for the count register; if 


the address-size attribute is 32 bits, use the ECX register for the count register. 


. Check the count register. If it is zero, exit the iteration, and move to the next 


instruction. 


. Acknowledge any pending interrupts. 

. Perform the string operation once. 

. Decrement the CX or count register by one; no flags are modified. 

. Check the ZF flag if the string operation is a SCAS or CMPS instruction. If the 


repeat condition does not hold, exit the iteration and move to the next instruction. 


_ Exit the iteration if the prefix is REPE and the ZF flag is 0 (the last comparison was 


not equal), or if the prefix is REPNE and the ZF flag is one (the last comparison 
was equal). 


Return to step 2 for the next iteration. 
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Repeated CMPS and SCAS instructions can be exited if the count is.exhausted or if the 
ZF flag fails the repeat condition. These two cases can be distinguished by. using either 
the JCXZ instruction, or by using ~ conditional jumps that test the ZF flag sg SZ, 
JNZ, and JNE instructions). 


Flags Affected | | 
The ZF flag is affected by the REP CMPS and REP SCAS as described above. 
Protected Mode Exceptions 


None. 


Real Address Mode Exceptions 


None. 


Virtual 8086 Mode aie clad : 


None. 


Notes 


Not all I/O ports can handle the rate at which the REP INS and REP OUTS instructions 
_ execute. c 


Do not use the repeat prefix with the LOOP instruction. Proper Loop ppetaren is not 
guaranteed in this case. 


The repeat prefix is ignored when it is used with all other non-string instructions. 
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RET — Return from Procedure 


Instruction Clocks Description 


RET 5 Return (near) to caller 
RET 13,pm=18 Return (far) to caller, same privilege 
RET 13,pm=33 Return (far), lesser privilege, switch stacks 


RET imm16 5 Return (near), pop imm16 bytes of parameters 
RET imm16 14,0m=17 Return (far), same privilege, pop imm16 bytes 
RET imm16 14,0m=33 Return (far), lesser privilege, pop imm76 bytes 


Operation 


IF instruction = near RET 
THEN; 
IF OperandSize = 16 
THEN ~ 
IP < Pop(); | 
EIP <— EIP AND OOOOFFFFH; 
ELSE (* OperandSize = 32 *) 
EIP < Pop(); 


IF instruction has immediate operand THEN eSP < eSP + imm16; Fl; 
Fl; 


IF (PE = 0 OR (PE = 1 AND VM = 1)). 
(* real mode or virtual 8086 mode *) 
AND instruction = far RET 
THEN; 
IF OperandSize = 16 
THEN 
IP — Pop(); 
EIP < EIP AND OOOOFFFFH; 
CS < Pop(); (* 16-bit pop *) 
ELSE (* OperandSize = 32 *) 
EIP < Pop(); | os 
CS < Pop(); (* 32-bit pop, high-order 16-bits discarded *) 
Fl; 
IF instruction has immediate operand THEN eSP < eSP + imm16; Fl; 
Fl; 


IF (PE = 1 AND VM = 0) (* Protected mode, not V86 mode ") 

_ AND instruction = far RET 

THEN 
IF OperandSize = 32 ? 
THEN Third word on stack must be within stack limits else #S3S(0); 
ELSE Second word on stack must be within stack limits else #SS(0); 
Fl; 7 

Return selector RPL must be => CPL ELSE #GP(return selector) 

IF return selector RPL = CPL 
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THEN GOTO SAME-LEVEL; 

ELSE GOTO OUTER- PRIVILEGE- LEVEL; 
«Ble 
Fl 


SAME-LEVEL: | 7 
Return selector must be non-null ELSE #GP(0) 
~ Selector index must be within its descriptor table limits ELSE 
#GP(selector) | 
Descriptor AR byte must indicate code segment ELSE #GP(selector) 
IF non-conforming 
THEN code segment DPL must equal CPL; 
ELSE #GP(selector); 
Fl; 
IF conforming 
THEN code segment DPL must be < CPL; 
ELSE #GP(selector); 
Fl; 
Code segment must be present ELSE #NP(selector); 
Top word on stack must be within stack limits ELSE #SS(0); 
IP must be in code a limit ELSE #GP(0);_ | 
IF OperandSize = “32° 
THEN 
Load CS:EIP from stack 
Load CS register with descriptor 7 
Increment eSP by 8 plus the immediate offset if it exists 
ELSE (* OperandSize = 16 *) 
Load CS:IP from stack 
Load CS register with descriptor | 
Increment eSP by 4 plus the immediate offset if it exists 
Fl; 


OUTER-PRIVILEGE-LEVEL: 
IF OperandSize = 32 | 
- THEN Top (16+immediate) nice on stack must be within ack imits 
ELSE #SS(0); 
ELSE Top (8+ immediate) bytes on slack must be within stack limits ELSE 
#S38(0); 
Fl; 
Examine return CS selector and associated DeSchiplor: 
Selector must be non-null ELSE #GP(0); : | 
Selector index must be within its descriptor table limits ELSE | 
#GP(selector) 
Descriptor AR byte must indicate cone segment ELSE Hor Saeco!) 
IF non-conforming 
THEN code segment DPL must (e008 return seraciae RPL. 
ELSE #GP(selector); 
Fl; 
IF conforming 
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_. THEN code segment DPL must be < return selector RPL; 

ELSE #GP(selector); — 

Fl: 

Segment must be present ELSE #NP(selector) 

Examine return SS selector and associated descriptor: 

Selector must be non-null ELSE #GP(0); 

Selector. index must be within its descriptor table limits 
ELSE #GP(selector); 

Selector RPL must equal the RPL of the return CS selector ELSE 
#GP(selector); 

Descriptor AR byte must indicate a writable data segment ELSE 
#GP(selector); 

Descriptor DPL must equal the RPL of the return CS selector: ELSE 
#GP(selector); — 

Segment must be present ELSE #NP(selector): 

IP must be in code segment limit ELSE #GP(0); 
Set CPL to the RPL of the return CS selector; 

_ IF OperandSize = 32 

- THEN | 

Load CS:EIP from stack; 

Set CS RPL to CPL; | 

Increment eSP by 8 plus the immediate offset if it exists; 

Load SS:eSP from stack; 

ELSE (* OperandSize = 16 *) 

Load CS:IP from stack; 

Set CS RPL to CPL; 

Increment eSP by 4 plus the immediate offset if it exists; 

Load SS:eSP from stack; 

Fl; 

Load the CS register with the return CS descriptor; 
Load the SS register with the return SS descriptor; 
For each of ES, FS, GS, and DS 

DO 

IF the current register setting is not valid for the outer level, 
set the register to null (selector — AR < 0); . 

To be valid, the register setting must satisfy the following properties: 
Selector index must be within descriptor table limits; 
Descriptor AR byte must indicate data or readable code segment; 
IF segment is data or non-conforming code, THEN 

DPL must be = CPL, or DPL must be = RPL; 
Fl; | | 
OD; 


Description 


The RET instruction transfers control to a return address located on the stack. The 
address is usually placed on the stack by a CALL instruction, and the return is made to 
the instruction that follows the CALL instruction. 
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The optional numeric parameter to the RET instruction gives the number of stack bytes 
(OperandMode = 16) or words (OperandMode=32) to be released after the return 
address is popped. These items are typieany used as put parenciets: to the out: 
called. 


For the intrasegment (near) return, the aces on the stack is a eeacnt offset: which is 
popped into the instruction pointer. The CS register is unchanged. For the intersegment 
(far) return, the address on the stack is a long on The offset is popped first, fol- 
lowed by the selector. 3 


In real mode, the CS and IP registers are loaded directly. In Protected Mode, an inter- 
segment return causes the processor to check the descriptor addressed by the return 
selector. The AR byte of the descriptor must indicate a code segment of equal or lesser 
privilege (or greater or equal numeric value) than the current privilege level. Returns to 
a lesser privilege level cause the stack to be reloaded from the value ones. aeons the 
parameter block. 

The DS, ES, FS, and GS segment registers can be cleared by th the RET ei during 
an interlevel transfer. If these registers refer to segments that cannot be used by the new 


privilege level, they are cleared to prevent unauthorized access from the new DEWUCEC 
level. 


Flags Affected 


None. 


Protected Mode Exceptions 


#GP, #NP, or #SS, as described under POperailan above; pene ae for a page 
fault. OF 34.98 : 


Real Address Mode Exceptions 


Interrupt 13 if any eae of the operand would be outside the effective address pee from 
0 to OFFFFH. : 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault. 


26-250 


intel . INSTRUCTION SET 


SAHF — Store AH into Flags 


Opcode Instruction Clocks Description 
9E SAHF a. 2 . Store AH into flags SF ZF xx AF xx PF xx CF 
Operation 


SE:ZF:xx: AF:xx: PF:xx:CF <— AH; 


Description 


The SAHF instruction loads the SF, ZF, AF, PF, and CF flags with values from the AH 
register, from bits 7, 6, 4, 2, and 0, respectively. 


Flags Affected | 
~The SF, ZF, AF, PF, and CF flags are loaded with values form the AH register. 
Protected Mode Exceptions 


None. 


Real Address Mode Exceptions 


None. 
Virtual 8086 Mode Exceptions 


None. 
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SAL/SAR/SHL/SHR — Shift Instructions 


Instruction ~ ' Clocks Description 


SAL r/m8,1- 8 3/4. Multiply r/m byte by 2, once 
SAL r/m8,CL — 8/4 | Multiply r/m byte by 2, CL times. . 
SAL r/m8,imm8& ~ 2/4. Multiply r/m byte by 2, immé times 
SAL r/m16,1 . 3/4 Multiply r/m word by 2, once 
SAL r/m16,CL 3/4 Multiply r/m word by 2, CL times 
SAL r/m16,imm8 2/4 Multiply r/m word by 2, immé times 
SAL r/m32,1 3/4 Multiply r/m dword by 2, once 
SAL r/m32,CL 3/4 Multiply r/m dword by 2, CL times 
SAL r/m32,imm8 2/4 Multiply r/m dword by 2, imm8 times 
SAR r/m6,1 3/4 Signed divide’ r/m byte by 2, once. 
SAR r/m8,CL 3/4 : Signed divide’ r/m byte by 2, CL times 
SAR r/m8,imm8& 2/4 Signed divide’ r/m byte by 2, immé8 times 
-SAR 1/m16,1 r 3/4. _. Signed divide’ r/m word by 2, once: 
SAR 1/m16,CL . 3/4 ~ . "Signed divide’ r/m word by 2, CL times 
SAR r/m16,imm8 2/4 eer Signed divide’ r/m word by 2, imm8 times 
SAR r/m32,1 3/4 Signed divide’ r/m dword by 2, once 
SAR r/m32,CL 3/4 Signed divide’ r/m dword by 2, CL times 
SAR r/m32,imm8s 2/4 Signed divide’ r/m dword by 2, imm8 times .. 
SHL r/m8,1 3/4 Multiply r/m byte by 2, once 
SHL r/m8,CL 3/4 | Multiply r/m byte by 2, CL times 
SHL 'r/m8imm8 = =— 2/4 _ Multiply r/m byte by 2, imm8 times 
SHL r/m16,1 3/4 Multiply r/m word by 2, once 
SHL 1r/m16,CL 3/4 Multiply r/m word by 2, CL times 
SHL r/m16,imm8 Multiply r/m word by 2, imm8 times . 
SHL r/m32,1 Multiply r/m dword by 2, once 
SHL r/m32,CL Multiply r/m dword by 2, CL times 
SHL r/m32,imm8 Multiply r/m dword by 2, imm& times 
SHR r/m8,1 : ) Unsigned divide r/m byte by 2, once 
SHR r/m8,CL Unsigned divide r/m byte by 2, CL times 
SHR r/m8,imm8 Unsigned divide. r/m byte by 2, immé8 times 
SHR 1/m16,1 Unsigned divide r/m word by 2, once 
SHR 7/m16,CL Unsigned divide r/m word by 2, CL times 
SHR r/m16,imm8 Unsigned divide r/m word by 2, immé times 
SHR r/m32,1 Unsigned divide r/m dword by 2, once 
SHR r/m32,CL | Unsigned divide r/m dword by 2, CL times 
SHR r/m32,imm8 Unsigned divide r/m- dword by 2, imm8 times 


Not the same division. as IDIV; rounding is toward negative infinity. 


Operation 


(* COUNT is the second parameter *) 
(temp) <- COUNT; | 
WHILE (temp <> 0) 
DO 
IF instruction is SAL or SHL 
THEN CF < high-order bit of r/m; 
Fl; ; 
IF instruction is SAR or SHR 
THEN CF < low-order bit of r/m; 
Fl; 
IF instruction = SAL or SHL 
THEN r/m <— r/m * 2; 
Fl; 
IF instruction = SAR | : ; 
THEN r/m < r/m /2 (*Signed divide, rounding toward negative infinity*); 
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Fl; = 
IF instruction = SHR | 
THEN r/m < r/m/ 2; (* Unsigned divide *); 


Fl; - 3 
temp < temp — 1; 
OD; 
(* Determine overflow for the various instructions *) 
IF COUNT = 1 
THEN 


IF instruction is SAL or SHL 
THEN OF < high-order bit of r/m <> (CF); 
Fl; | | 
IF instruction is SAR 
THEN OF < 0; 
Fl; 
IF instruction is SHR 
THEN OF < high-order bit of operand; 
Fl; 

ELSE OF < undefined; 

Fl; 


Description 


The SAL instruction (or its synonym, SHL) shifts the bits of the operand upward. The | 
high-order bit is shifted into the CF flag, and the low-order bit is cleared. 


The SAR and SHR instructions shift the bits of the operand downward. The low-order 
bit is shifted into the CF flag. The effect is to divide the operand by two. The SAR 
instruction performs a signed divide with rounding toward negative infinity (not the 
same as the IDIV instruction); the high-order bit remains the same. The SHR instruc- 
tion performs an unsigned divide; the high-order bit is cleared. 


The shift is repeated the number of times indicated by the second operand, which is 
either an immediate number or the contents of the CL register. To reduce the maximum 
execution time, the Intel486 processor does not allow shift counts greater than 31. If a 
shift count greater than 31 is attempted, only the bottom five bits of the shift count are 
used. (The 8086 uses all eight bits of the shift count.) 


The OF flag is affected only if the single-shift forms of the instructions are used. For left 
shifts, the OF flag is cleared if the high bit of the answer is the same as the result of the 
CF flag (i.e., the top two bits of the original operand were the same); the OF flag is set 
if they are different. For the SAR instruction, the OF flag is cleared for all single shifts. 
For the SHR instruction, the OF flag is set to the high-order bit of the original operand. 


Flags Affected 
If count = 0, the flags are not affected. 
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The CF flag is undefined for SHL and SHR instructions in which the shift ee are 
greater than the size of the operand to be shifted. 


The OF flag is affected for single shifts; the OF fae is undefined for seoautaipte shifts; the 
CF, ZF, PF, and SF flags are set according to the result. 


Protected Mode Exceptions | | 
#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 


the SS segment, #PF(fault-code) for a page fault; #AC for unaligned memory reference 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. : : 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault- -code) for a page fault; #AC for | 
unaligned memory reference if the current privilege level is 3. 
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SBB — Integer Subtraction with Borrow 


Instruction Description 


SBB AL,imm8 Subtract with borrow immediate byte from AL 

SBB AX,imm16 Subtract with borrow immediate word from AX 

SBB EAX,imm32 Subtract with borrow immediate dword from EAX 

SBB r/m8,imm8 Subtract with borrow immediate byte from r/m byte 

SBB r/m16,imm16 — Subtract with borrow immediate word from r/m word 

SBB r/m32,imm32 Subtract with borrow immediate dword from r/m dword 

SBB r/m16,imm8& Subtract with borrow sign-extended immediate byte from r/m word 
SBB r/m32,imm8 Subtract with borrow sign-extended immediate byte from r/m dword 
SBB r/m8,r8 Subtract with borrow byte register from r/m byte 

SBB r/m16,r16 Subtract with borrow word register from r/m word 

SBB r/m32,r32 Subtract with borrow dword register from r/m dword 

SBB r8,r/m8 Subtract with borrow r/m byte from byte register 

SBB r16,r/m16 Subtract with borrow r/m word from word register 

SBB 132,r/m32 Subtract with borrow r/m dword from dword register 


Operation 


IF SRC is a byte and DEST is a word or dword 
THEN DEST = DEST — (SignExtend(SRC) + CF) 
ELSE DEST <— DEST — (SRC + CF); 


Description 


The SBB instruction adds the second operand (SRC) to the CF flag and subtracts the 
result from the first operand (DEST). The result of the subtraction is assigned to the 
first operand (DEST), and the flags are set accordingly. 


When an immediate byte value is subtracted from a word operand, the immediate value 
is first sign-extended. 


Flags Affected 


The OF, SF, ZF, AF, PF, and CF flags are set according to the result. 


Protected Mode Exceptions 


#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH.. 
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Virtual 8086 Mode Exceptions 


_ Same exceptions as in Real Address Mode; #PF(fault- code) for a page fault; #AC o 
unaligned gee) reference if the current privilege level is 3. , 
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SCAS/SCASB/SCASW/SCASD — Compare String Data 


Opcode Instruction Clocks Description 


AE SCAS m8 ~ Compare bytes AL-ES:[Dl], update (E)DI 
AF SCAS m16 - Compare words AX-ES:[DIl], update (E)DI 
AF SCAS m32 Compare dwords EAX-ES:[Dl], update (E)DI 
AE SCASB Compare bytes AL-ES:[D!], update (E)DI 
AF SCASW Compare words AX-ES:[Dl], update (E)DI 
AF SCASD Compare dwords EAX-ES:[Dl], update (E)DI - 


Oo oO A 


Operation 


IF AddressSize = 16 
THEN use DI for dest-index; 
ELSE (* AddressSize = 32 *) use EDI for dest-index; 
Fl; _ | 
IF byte type of instruction 
THEN 
AL — [dest-index]; (* Compare byte in AL and dest *) 
IF DF = O THEN IndDec < 1 ELSE IncDec < —1; FI; 
ELSE . : 7 a: : ae 
IF OperandSize = 16 
THEN 
AX — [dest-index]; (* compare word in AL and dest *). 
IF DF = 0 THEN IncDec < 2 ELSE IncDec < —2; FI; 
ELSE (* OperandSize = 32 *) | mae 
EAX — [dest-index];(* compare dword in EAX & dest *) 
IF DF = 0 THEN IncDec < 4 ELSE IncDec < —4; FI; 
Fl; 
Fl: 
dest-index = dest-index + IncDec 


Description 


The SCAS instruction subtracts the memory byte or word at the destination register 
from the AL, AX or EAX register. The result is discarded; only the flags are set. The 
operand must be addressable from the ES segment; no segment override is possible. 


If the address-size attribute for this instruction is 16 bits, the DI register is used as the 
destination register; otherwise, the address-size attribute is 32 bits and the EDI register 
is used. , 


The address of the memory data being compared is determined solely by the contents of 
the destination register, not by the operand to the SCAS instruction. The operand vali- 
dates ES segment addressability and determines the data type. Load the correct index 
value into the DI or EDI register before executing the SCAS instruction. 
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After the comparison is made, the destination register is automatically updated. If the 
direction flag is 0 (the CLD instruction was executed), the destination register is incre- 
mented; if the direction flag is 1 (the STD instruction was executed), it is decremented. 
The increments or decrements are by 1 if bytes are compared, by 2 if words are com- 
pared, or by 4 if coublewords are compared. 


The SCASB, SCASW, and SCASD instructions are synonyms for the byte, word and 
doubleword SCAS instructions that don’t require operands. They are simpler to code, 
but provide no type or segment checking. 


The SCAS instruction can be preceded by the REPE or REPNE prefix for a block 
search of CX or ECX bytes or words. Refer to the REP instruction for further details. 


Flags Affected 


The OF, SF, ZF, AF, PF, and CF flags are set according to the result. 


Protected Mode Exceptions 
#GP(0) for an illegal memory operand effective address in the ES segment; #PF(fault- 


code) for a page fault; #AC for unaligned memory reference if the current privilege 
level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the pean would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault- code) for a page fault; #AC for 
unaligned memory reterence if the current privilege level is 3. 
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SETcc— Byte Set on Condition 


. Instruction Clocks ‘ Description 


SETA r/m8 4/3 Set byte if above (CF=0 and ZF=0) 

SETAE r/m8& 4/3 Set byte if above or equal (CF =0) 

SETB r/m8 4/3 Set byte if below (CF =1) 

SETBE r/m8 4/3 Set byte if below or equal (CF =1 or (ZF=1) 
SETC r/m8 4/3 Set if carry (CF =1) 

SETE r/m8 . 4/3 Set byte ifequal (ZF=1) 

SETG r/mé ° APBD ee Set byte if greater (ZF =O and SF=OF) » 
SETGE r/m8 4/3 Set byte if greater or equal (SF = OF) 

SETL r/m8 4/3 Set byte if less (SF<>OF) 

SETLE r/m8 4/3 Set byte if less or equal (ZF=1 or SF<>OF) 
SETNA r/m8 4/3 Set byte if not above (CF=1 or ZF=1) 
SETNAE r/m8 4/3 Set byte if not above or equal (CF = 1) 
SETNB r/m8 4/3 Set byte if not below (CF =0) 

SETNBE r/m8 4/3 Set oe if not below or equal (CF =0 and 


SETNC r/m8 4/3 Set byte if not carry (CF=0) © 

SETNE r/m8 4/3 Set byte if not equal (ZF =0) 

SETNG r/m8 4/3 | Set byte if not greater (ZF=1 or SF<>OF) 
SETNGE r/m8 4/3 Set if not greater or equal (SF<>OF) 
SETNL r/m8 4/3 Set byte if not less (SF = OF) 

SETNLE r/m8 4/3 Set byte if not less or equal (ZF =0 and SF =OF) 
SETNO r/m8 4/3 Set byte if not overflow (OF =0) 
SETNP 1r/m8 4/3 Set byte if not parity (PF =0) 

SETNS r/m8 4/3 Set byte if not sign (SF =0) 

SETNZ r/m8 4/3 Set byte if not zero (ZF =0) 

SETO r/m8 4/3 Set byte if overflow (OF = 1) 

SETP r/m8 4/3 7 Set byte if parity (PF = 1) 

SETPE r/m8 4/3 Set byte if parity even (PF = 1) 

SETPO r/m8 4/3 Set byte if parity odd (PF =0) 

SETS r/m8 4/3 Set byte if sign (SF =1) 

SETZ r/m8 4/3 Set byte if zero (ZF =1) 


Operation 


IF condition THEN r/m8 <— 1 ELSE r/m8 < 0; FI; 


Description 


The SETcc instruction stores a byte at the destination specified by the effective address 
or register if the condition is met, or a 0 byte if the condition is not met. 


Flags Affected 


None. 


Protected Mode Exceptions 


#GP(0) if the result is in a non-writable segment; #GP(0) for an illegal memory oper- 
and effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 
address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned mem- 
ory reference if the current privilege level is 3. 
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Real Address Mode Exceptions 


Interrupt 13 if any part of the >Operand would lie outside of the effective address space 
from 0 to OFFFFH. | are | oe Sse 


Virtual 8086 Mode Exceptions 2 


| Same ker puonsa as in Real Address Mode; #PF(fault- ode for a | page fault 
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SGDT/SIDT — Store Global/Interrupt Descriptor Table Register 


Opcode Instruction Clocks | Description 


OF 01 /0 SGDT m 10 : 3 Store GDTR to m 
OF 01/1 SIDT m 10 Store IDTR to m 


Operation 


DEST < 48-bit BASE/LIMIT register contents; 


Description 


The SGDT and SIDT instructions copy the contents of the descriptor table register to 
the six bytes of memory indicated by the operand. The LIMIT field of the register is 
assigned to the first word at the effective address. If the operand-size attribute is 16 bits, 
the next three bytes are assigned the BASE field of the register, and the fourth byte is 
undefined. Otherwise, if the operand-size attribute is 32 bits, the next four bytes are 
assigned the 32-bit BASE field of the register. 


The SGDT and SIDT instructions are used only in operating system software; they are 
not used in application programs. 


Flags Affected 


None. 


Protected Mode Exceptions 


Interrupt 6 if the destination operand is a register; #GP(Q) if the destination is in a 
nonwritable segment; #GP(0) for an illegal memory operand effective address in the CS, 
DS, ES, FS, or GS segments; #SS(0) for an illegal address in the SS segment; #PF(fault- 
code) for a page fault; #AC for unaligned memory reference if the current privilege 
level is 3. 


Real Address Mode Exceptions 


Interrupt 6 if the destination operand is a register; Interrupt 13 if any part of the oper- 
and would lie outside of the effective address space from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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Compatibility Note 


The 16-bit forms of the SGDT and SIDT instructions are compatible with the 286 pro- 
cessor, if the value in the upper eight bits is not referenced. The 286 processor stores 1’s 
in these upper bits, whereas‘ the Intel386 DX and Intel486 processors store 0’s if the 
operand-size attribute is 16 bits. These bits were specified as undefined by the SGDT 
and SIDT instructions in the iAPX 286 Programmer’s Reference Manual. 
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SHLD — Double Precision Shift Left 


Instruction | Clocks Description 


SHLD r/m16,r16;imm8 2/3 1/m16 gets SHL of r/m16 concatenated with r76 
SHLD r/m32,r32,imm8 2/3 r/m32 gets SHL of r/m32 concatenated with r32 
SHLD r/m16,r16,CL 3/4 r/m16 gets SHL of r/m16 concatenated with r76 
SHLD 7/m32,r32,CL 3/4 r/m32 gets SHL of r/m32 concatenated with r32 


Operation 


(* count is an unsigned integer corresponding to the last operand of the i nStucton, either an 
immediate byte or the byte in register CL *) 

shiftAmt <— count MOD 32; 

inBits < register; (* Allow overlapped operands *) 


IF ShiftAmt = 0 
THEN no operation 
ELSE 


IF ShiftAmt = OperandSize 
THEN (* Bad parameters *) 
r/m — UNDEFINED; 
CF, OF, SF, ZF, AF, PF < UNDEFINED; 
ELSE (* Perform the shift *) 
CF < BIT[Base, OperandSize — ShiftAmt]; 
(* Last bit shifted out on exit *) 
FOR i < OperandSize — 1 DOWNTO ShiftAmt 
DO 
- BIT[Base, i] — BIT[Base, i — ShiftAmt]; 
OF; 
FOR i <— ShiftAmt — 1 DOWNTO 0 
DO 
BIT[Base, i] <— BIT[inBits, i — ShiftAmt + OperandSizel; 
OD; 
Set SF, ZF, PF (r/m); 
(* SF, ZF, PF are set according to the value of the result *) 
AF < UNDEFINED; 
Fl; 
Fl: 


Description 


The SHLD instruction shifts the first operand provided by the r/m field to the left as 
many bits as specified by the count operand. The second operand (176 or r32) provides 
the bits to shift in from the right (starting with bit 0). The result is stored back into the 
r/m operand. The register remains unaltered. 


The count operand is provided by either an immediate byte or the contents of the CL 
register. These operands are taken MODULO 32 to provide a number between 0 and 31 
by which to shift. Because the bits to shift are provided by the specified registers, the 
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seerdion is useful for mulepisccion shifts (64 bits or more). The SF, ZF and PF aes 
are set according to the value of the result. The CF flag is set to the value of the last Pe 
shifted out. The OF and AF aes are left undefined. | 7 


mage Affected 

If count = 0: the Seen 

The SF, ZF, and PF, flags are set according to the result; the CF flag is set to the value 
of the last bit shifted out; after a shift of one bit position, the OF flag is set if a sign 
change occurred, otherwise it is cleared; after a shift of more than one bit position, the 


OF flag is undefined; the AF flag is undefined, except for a shift count oe Zero, » which 
does not affect any flags. | ts , 


Protected Mode Exceptions 
#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address'in 


the SS segment; #PF (fault- code) for a page fault; #AC for unaligned memory reference 
if the current prices level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address spate 
from 0 to OFFFFH. | 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF (fault- code) for a page fault #AC for 
unaligned memory reference if the current privilege levelis3. 
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SHRD — Double Precision Shift Right | 


Instruction Clocks . © Description 


SHRD 1/m16,r16,imm8& 2/3 r/m16 gets SHR of r/m16 concatenated with r76 
SHRD 1/m32,r32,imm8s 2/3 r/m32 gets SHR of r/m32 concatenated with r32 
SHRD /m16,r76,CL 3/4 r/m16 gets SHR of r/m16 concatenated with r16 
SHRD 1/m32,r32,CL 3/4 r/m32 gets SHR of r/m32 concatenated with r32 


Operation 


(* count is an unsigned integer corresponding to the last operand of the instruction, either an 
immediate byte or the byte in register CL *) | 

ShiftAmt < count MOD 32; 

inBits < register; (* Allow overlapped operands *) 


IF ShiftAmt = O 
THEN no Operation 
ELSE — 


IF ShiftAmt = OperandSize 
' THEN (* Bad parameters *) 
r/m <— UNDEFINED; 
CF, OF, SF, ZF, AF, PF — UNDEFINED; 
ELSE (* Perform the shift *) 
CF < BIT[r/m, ShiftAmt — 1]; (* last bit shifted out on exit *) 
_FORi <0 TO OperandSize — 1 — ShiftAmt 
DO 
BIT[r/m, i] <— BIT[r/m, i — ShiftAmt]; 
OD; 
FOR i < OperandSize — ShiftAmt TO OperandSize-—1 
DO | 
BIT[r/m,i] <— BIT[inBits,i+ Shiftamt — OperandSize]; 
OD; 
(* SF, ZF, PF are set according to the value of the result *) 
Set SF, ZF, PF (r/m); 
AF <-UNDEFINED; 
FT; 
Fl: 


Description 


The SHRD instruction shifts the first operand provided by the r/m field to the right as 
many bits as specified by the count operand. The second operand (r76 or r32) provides 
the bits to shift in from the left (starting with bit 31). The result is stored back into the 
r/m operand. The register remains unaltered. 


The count operand is provided by either an immediate byte or the contents of the CL 
register. These operands are taken MODULO 32 to provide a number between 0 and 31 
by which to shift. Because the bits to shift are provided by the specified register, the 
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operation is useful for multi- precision shifts (64 bits or more). The SF, ZF and PF flags 
are set according to the value of the result. The CF flag is set to the value of the - bit 
shifted out. The OF and AF flags. are left undefined. : 


Flags Affected 

| if count = 0, the flags are not affected. 

The SF, ZF, and PF flags are set according to the result; the CF flag is set to the value 
of the last bit shifted out; after a shift of one bit position, the OF flag is set if a sign 
change occurred, otherwise it is cleared; after a shift of more than one bit position, the 


OF flag is undefined; the AF flag is undefined, except for a shift count of zero, which 
does not affect any flags. ee 


Protected Mode Exceptions 
#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 


the SS segment; #PF(fault- code) for a page fault; #AC for a memOH reference 
if the current privilege level is 3. 


Real Address Mode Exceptions | 


Interrupt 13 if any part of the operand would lie outside of the effective Addie space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #AC for unaligned memory reference if the 
current privilege level is 3. 
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SLDT — Store Local Descriptor Table Register 


Operation 


r/m16 <— LDTR; 


Description 

The SLDT instruction stores the Local Descriptor Table Register (LDTR) in the two- 
byte register or memory location indicated by the effective address operand. This regis- 
ter is a selector that points into the Global Descriptor Table. 


The SLDT instruction is used only in operating system software. It is not used in appli 
cation programs. : 


Flags Affected 
None. | 

Protected Mode Exceptions , | | 
#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 


the SS segment; #PF(fault- code) for a page fault; #AC for ehenenes memory reference 
if the current privilege level is 3. ek oun se | — 


Real Address Mode Exceptions 
Interrupt 6; the SLDT instruction is not recognized in Real Address Mode. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Notes 


The operand-size attribute has no effect on the operation of the instruction. 
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SMSW —Store Machine Status Word | 


Operation 


r/m16 — MSW; 


Description 


_ The SMSW instruction stores the machine status word (part of the CRO register) in the 
two-byte register or memory location indicated by the effective address operand. | 


Flags Affected 

None. 7 

Protected Mode Exceptions 

#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 


the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference 
if ie current PUNE levelis3. 


Real Address Mode Exceptions: 


jarernapt 3 if any part of the operand would lie outside of the effective address space 
_ from 0 to oD 


Virtual 8086 Mode ‘Exceptions 


Same exceptions as in Real Address Mode; #PF (fault. -code) Si a paee fault; #AC for 
unaligned memory reference if the current privilege level is 3. , 


Notes 


This instruction is provided for compatibility with the 80286 processor; programs for the 
Intel486 processor should use the MOV ..., CRO instruction. s 
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STC — Set Carry Flag 


Operation 


CF <— 1; 

pescapiion 

The STC instruction sets the CF flag. | 
Flags Affected _ 
The CF flag is set. 


Protected Mode Exceptions 
None. 
Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


None. 
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STD — Set Direction Flag 


Opcode _Instruction _, ‘Clocks | Description 


FD STD Ee Gta tee Sign _ Set direction flag so (E)SI and/or (E)DI decre- . 
ee ; ee ee sein «Ap cite oS: VSs Rien ~ cupid, aL PEGMAE dots. 2. 


Operation 


DF < 1; 


Description 


The STD instruction sets the direction flag, causing all subsequent string operations to 
decrement the index registers, (E)SI and/or (E)DI, on which they operate. __ 


Flags Affected 


The DF flag is set. 


Protected Mode Exceptions 
None. 
Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions | 


None. 
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STI — Set Interrupt Flag 


Opcode Instruction - Clocks Description 


FB STI 5 Set interrupt flag; interrupts enabled at the end 
of the next instruction 


Operation 


IF <— 1 


Description 

The STI instruction sets the IF flag. The processor then responds to external interrupts 
after executing the next instruction if the next instruction allows the IF flag to remain 
enabled. If external interrupts are disabled and you code the STI instruction followed by 
the RET instruction (such as at the end of a subroutine), the RET instruction is allowed 
to execute before external interrupts are recognized. Also, if external interrupts are 
disabled and you code the STI instruction followed by the CLI instruction, then external 
interrupts are not recognized because the CLI instruction clears We IF flag during its 
execution. 


Flags Affected 
The IF flag is set. 


Protected Mode Exceptions 


#GP(0) if the current privilege level is greater (has less privilege) than the HO privilege 
level. 


Real Address Mode Exceptions 


None. 


Virtual 8086 Mode Exceptions 


Same as Protected Mode. 


Note 


In case of an NM1, trap, or fault following ST1 the interrupt will be taken before exe- 
cuting the next sequential instruction in the code. 
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STOS/STOSB/STOSW/STOSD — Store String Data 


| Opcode Instruction ei Description 


$TOS m8 .. ey E>, Store AL in byte ES:[(E)DI], update (E)DI 
STOS m16 ae 2 Store AX in word ES:[(E)Dl], update (E)DI 


_ STOS m32. .. . : aks Gh oes _. Store EAX in dword ES:[(E)DI], update (E)DI 
STOSB Store AL in byte ES:[(E)DI], update (E)DI 
STOSW Store AX in word ES:[(E)DI], update (E)DI — 
STOSD Store EAX in dword ES:[(E)DI], update (E)DI 


Operation 


IF AddressSize = 16 
THEN use ES:DI for DestReg . sy 
See (* AddressSize = = 32 *) use ES: EDI for rDestReg Dae 
Els, ‘ox e%; 
‘IF. byte type a instruction. 
THEN - | _ 
(ES: DestRteg) - <—. AL: 
IF DF = 0. 
THEN DestReg <_ DestReg + 41 
ELSE DestReg < DestReg — 1; 
Fl; 
ELSE IF OperandSize = 16 
THEN 
(ES:DestReg) < AX; 
IF DF = 0 
THEN DestReg < DestReg + 2; 
aoe Pesiied <_— DestReg a 
FI; 3 
ELSE (* OperandSize = 32 *) 
(ES:DestReg) < EAX; 
IF DF = 0 
THEN DestReg < DestReg + 4; 
ELSE DestReg < DestReg — 4; 
Fl; 
Fl; 
Fl; 


PePenipuon 


The STOS instruction transfers the contents of the AL, AX, or EAX register to the 
memory byte or word given by the destination register relative to the ES segment. The 
destination register is the DI register for an address-size attribute of 16 bits or the EDI 
register for an address-size attribute of 32 bits. 


The destination operand must be addressable from the ES register. A segment override 
is not possible. 
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The address of the destination is determined by the contents of the destination register, 
not by the explicit operand of the STOS instruction. This operand is used only to vali- 
date ES segment addressability and to determine the data type. Load the correct index 
value into the destination register before executing the STOS instruction. 


After the transfer is made, the DI register is automatically updated. If the DF flag is 0 
(the CLD instruction was executed), the DI register is incremented; if the DF flag is 1 
(the STD instruction was executed), the DI register is decremented. The DI register is 
incremented or decremented by 1 if a byte is stored, by 2 if a word is stored, or by 4 if a 
doubleword is stored. 

The STOSB, STOSW, and STOSD instructions are synonyms for the byte, word, and 
doubleword STOS instructions, that do not require an operand. pe are pun to use, 
but provide no type or segment checking. | , 


The STOS instruction can be preceded by the REP prefix for a block fill of CX or ECX 
bytes, words, or doublewords. Refer to the REP instruction for further details. 


Flags Affected 


None. 


Protected Mode Exceptions 
#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 


effective address in the ES segment; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the Eiictiive address space 
from 0 to OFFFFH. ae 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. | 
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STR — Store Task Register 


Opcode ‘Instruction - Clocks _ Description - 


OF 00 /1 STR r/m16é 2/3 : 7 Store task register to EA word . 


Operation 
r/m < task register; 
Description 


The contents of the task register are copied to the two-byte register or memory location 
indicated by the effective address operand. 


The STR instruction is used only in operating system software. It 1 is not used in applica- 
tion programs. 


Flags Affected 


None. 


Protected Mode Exceptions 
#GP(0) if the result is in a nonwritable segment: #GP(0) for an illegal memory ry operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 


the SS segment; #PF(fault- code) for a page fault; #AC for unaligned memory reference 
if the current privilege level is 3. | 


Real Address Mode Exceptions | | | 
ican 6; the STR instruction is not recognized in Real Address Mode. 
Virtual 8086 Mode Exceptions. 

| Same exceptions as in Real Address Mode. 

Notes 


The operand-size attribute has no effect on this instruction. 
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SUB — Integer Subtraction 


Instruction Clocks . Description 


SUB AL,imm8 . Subtract immediate byte from AL 

SUB AX,imm16 Subtract immediate word from AX 

SUB EAX,imm32 Subtract immediate dword from EAX 

SUB r/m8,imm8 Subtract immediate byte from r/m byte 

SUB r/m16,imm16 Subtract immediate word from r/m word 

SUB r/m32,imm32 Subtract immediate dword from r/m dword 

SUB r/m16,imm8& Subtract sign-extended immediate byte from r/m word 
SUB r/m32,imm8 Subtract sign-extended immediate byte from r/m dword 
SUB r/m68,r8 Subtract byte register from r/m byte 

SUB r/m16,r16 Subtract word register from r/m word 

SUB r/m32,r32 Subtract dword register from r/m dword 

SUB r8,r/m8 Subtract r/m byte from byte register 

SUB r16,r/m16 Subtract r/m word from word register 

SUB 132,r/m32 Subtract r/m dword from dword register 


Operation 
IF SRC is a byte and DEST is a word or dword 
THEN DEST = DEST — SignExtend(SRC); 


ELSE DEST <— DEST — SRC; 
Fl; 


Description 

The SUB instruction subtracts the second operand (SRC) from the first operand 
(DEST). The first operand is assigned the result of the subtraction, and the flags are set 
accordingly. | | 


When an immediate byte value is subtracted from a word operand, the immediate value 
is first sign-extended to the size of the destination operand. 


Flags Affected 


The OF, SF, ZF, AF, PF, and CF flags are set according to the result. 


Protected Mode Exceptions 
#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 


the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. | : 
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Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault- code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. . 
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Instruction Description 


TEST AL,imm8 AND immediate byte with AL 
TEST AX,imm16 AND immediate word with AX 
TEST EAX,imm32 AND immediate dword with EAX 


TEST r/m8,imm8 AND immediate byte with r/m byte — 
TEST r/m16,imm16 AND immediate word with r/m word 
TEST r/m32,imm32 AND immediate dword with 'r/m dword 
TEST r/m8,r8 AND byte register with r/m byte 

TEST r/m16,r16 AND word register with r/m word - 
TEST r/m32,r32 AND dword register with r/m dword 


Operation 
DEST : = LeftSRC AND RightSRC; 


CF < 0; 
OF < 0; 


Description 
The TEST instruction computes the bit-wise logical AND of its two operands. Each bit 


of the result is 1 if both of the corresponding bits of the operands are 1; otherwise, each 
bit is 0. The result of the operation is discarded and only the flags are modified. 


Flags Affected 


The OF and CF flags are cleared; the SF, ZF, and PF lags are set according to the 
result. 


Protected Mode Exceptions 
#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 


segments; #SS(0) for an illegal address in the SS segment; #PF(fault- -code) for a page 
fault; #AC for Hoanened memory reference if the current privilege level is 3. 


Real Address Mode Exceptions: 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual e986 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault-code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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_VERR, VERW — Verify a Segment for Reading or Writing 


Opcode Instruction Clocks Description - 


OF 00 /4 VERR r/m16-° 11/11 . Set ZF =1 if segment can be read, selector in r/m16 
OF 00 /5 VERW r/m16. 11/11 Set ZF =1 if segment can be written, selector in r/m16 


Operation | 


IF segment with Seisdior at (/m) is accessible 
with current protection level 
AND ((segment is readable for VERR) OR 
~ (segment is writable for VERW)) 

THEN ZF < 1; 

ELSE ZF < 0; 

Fl; 


Description 


The two- byte register or memory operand of the VERR and VERW instructions con- 
tains the value of a selector. The VERR and VERW instructions determine whether the 
segment denoted by the selector is reachable from the current privilege level and 
whether the segment is readable (VERR) or writable (VERW). If the segment is acces- 
sible, the ZF flag is set; if the segment is not accessible, the ZF flag is cleared. To set the — 
oT flag, the following conditions must be met: 


e The selector must denote a descriptor within the bounds of the table (cor. or LDT); 
the selector must be “defined.” 


e The selector must denote the descriptor of a code or data segment (not that of a task 
State segment, LDT, or a gate). 


e For the VERR instruction, the segment must ‘be readable. For the VERW instruc 
‘tion, the segment must be a writable data segment. | | . 


e Ifthe code segment is readable and conforming, the issetstae pales level (DPL) 
can be any value for the VERR instruction. Otherwise, the DPL must be greater than 
or equal to (have less or the same PHVECEE as) both the current pei level and the 
selector’s RPL. | | | 


The validation performed is the same as if the segment were loaded into the DS, ES, FS, 
or GS register, and the indicated access (read or write) were performed. The ZF flag 
receives the result of the validation. The selector’s value cannot result in a protection 
exception, enabling the software to anticipate possible segment access problems. 


Flags Affected 
The ZF flag is set if the segment is accessible, cleared if it is not. 
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Protected Mode Exceptions 

Faults generated by illegal addressing of the memory operand that contains the selector; 
the selector is not loaded into any segment register, and no faults attributable to the 
selector operand are generated. 

#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 


segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page ~ 
fault; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 6; the VERR and VERW instructions are not recognized in Real Address 
Mode. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #AC for unaligned memory reference if the 
current privilege level is 3. | | 
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WAIT — Wait 


Opcode Instruction Clocks  —" -. Description | 


9B  . WAIT: - 7 1-3 Causes piosessorito check for | numeric. 
exceptions. 


Description | 

WAIT causes the processor to check for pending unmasked numeric exceptions before 
proceding. | 

Flags Affected 

None. 

Protected Mode Exceptions 

#NM if both MP and TS in CRO are set. _ 

Real Address Mode Exceptions 


Interrupt 7 if both MP and TS in CRO are set. 


Virtual 8086 Mode Exceptions 


#NM if both MP and TS in CRO are set. 


Notes 

Coding WAIT after an ESC instruction ensures that any unmasked floating-point excep- 
tions the instruction may cause are handled before the processor has a chance to modify 
the instruction’s results. 


FWAIT is an alternate mnemonic for WAIT. 


‘Information about when to use WAIT ee is given in Chapter 18, in the section on 
“Concurrent Processing.” 
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WBINVD — Write-Back and Invalidate Cache 


Operation 


FLUSH INTERNAL CACHE 
SIGNAL EXTERNAL CACHE TO WRITE-BACK 
SIGNAL EXTERNAL CACHE TO FLUSH 


Description 
The internal cache is flushed, and a special-function bus cycle is issued which indicates 


that external cache should write-back its contents to main memory. Another special- 
function bus cycle follows, directing the external cache to flush itself. 


| pla? Affected 


Nonec. 


Protected Mode Exceptions 


The WBINVD instruction Is a [eens instruction; #GP(O) if the current PE PuMleee 
level is not 0. | 


Real Address Mode Exceptions 

None. 

Virtual 8086 Mode Exceptions 

#GP(0); the WBINVD instruction is a privileged instruction. 
Notes 


This instruction is implementation-dependent; its function may be implemented differ- 
ently on future Intel processors. 


It is the responsibility of hardware to respond to the external cache write-back and flush 
indications. 


This instruction is not supported on Intel386 processors. See Section 3.11 for detecting 
an Intel486 processor at runtime. See Section 12.2 on disabling the cache. 


26-281 


intel - INSTRUCTION SET 


XADD — Exchange and Add 


Instruction ... Clocks Description 
XADD r/m8,r8 . 3/4 Exchange byte register and r/m byte; load sum 


. _..., into r/m byte. . 

XADD r/m16,r16 3/4 ' Exchange word register and r/m word; load sum 
into r/m word. 

XADD r/m32,r32 3/4 Exchange dword register and r/m dword; load 
sum into r/m dword. 


Operation 


TEMP < SRC + DEST 
SRC <— DEST 
DEST < TEMP 


Description 


The XADD instruction loads DEST into SRC, and then loads the sum of DEST sna the 
original value of SRC into DEST. 


ae Affected 


The CF, PF, AF, SF, ZF, and OF flies are affected as if an ADD instruction aaa been 
executed. 


Protected Mode Exceptions 


#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault; #NM if either EM or TS in CRO is 
set; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


inieitupt 13 if any paul of the operand would lie oe the effective address space from 
QOtoOQFFFFH. | | Se aia eae ae 


Virtual 8086 Mode Exccpuons 


Same exceptions as in ane address mode; #PF(fault code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 
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Notes 


This instruction can be used with a LOCK prefix. The Intel386 DX microprocessor does 
not implement this instruction. If this instruction is used, you should provide an equiva- 
lent code that runs on an Intel386 DX processor as well. See Section 3.11 for detecting 

an Intel486 processor at runtime. | 
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XCHG — Exchange Register/Memory with Register 


Opcode Instruction Clocks == ~—.. -_ Description 
90+ r- -XCHG AX,r16 3 Exchange word register with AX — 
90+ r XCHG r16,AX a Nive ee 4 ~ Exchange word register with AX. 
90+ r XCHG EAX,r32 3 Exchange dword register with EAX ... - 
90+ r XCHG 1r32,EAX 3 Exchange dword register with EAX 
86 /r XCHG r/m8,r8 3/5 Exchange byte register with EA byte 
86 /r XCHG r8,r/m8 3/5 Exchange byte register with EA byte 
87 /r XCHG r/m16,r16 3/5 Exchange word register with EA word 
87 /r XCHG r16,r/m16 3/5 Exchange word register with EA word 
87 /r XCHG 1r/m32,r32 3/5 Exchange dword register with EA dword 
87 /r XCHG 132,r/m32 3/5 Exchange dword register with EA dword 
Operation 
temp < DEST 
DEST <— SRC 
SRC < temp 


Description 


The XCHG instruction exchanges two operands. The operands can be in either order. If 
a memory operand is involved, the LOCK# signal is asserted for the duration of the 
exchange, regardless of the presence or absence of the LOCK prefix or of the value of 
the IOPL. 


Flags Affected 


None. 


Protected Mode Exceptions 


#GP(0) if either operand is in a nonwritable segment; #GP(0) for an illegal memory 
operand effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal 
address in the SS segment; #PF(fault-code) for a page fault; #AC for unaligned mem- 
ory reference if -the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 


Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault- code) for a page fault; #AC for 
unaligned memory reference if the current privilege level is 3. 


Note 
XCHG can be used for BSWAP for 16-bit data. 


26-284 


intel F INSTRUCTION SET 


XLAT/XLATB — Table Look-up Translation 


Opcode Instruction Clocks Description 
D7 XLAT m8 4 | Set AL to memory byte DS:[(E)BX + unsigned AL] 


D7 XLATB 4 Set AL to memory byte DS:[(E)BX + unsigned AL] 


Operation 


IF AddressSize = 16 
THEN 

AL <— (BX + ZeroExtend(AL)) 
ELSE (* AddressSize = 32 *) 

AL < (EBX + ZeroExtend(AL)); 
Fl; 


Description 

The XLAT instruction changes the AL register from the table index to the table entry. 
The AL register should be the unsigned index into a table addressed by the DS:BX 
register pair (for an address-size attribute of 16 bits) or the DS: EBX register pair (for an 
address-size attribute of 32 bits). 

The operand to the XLAT instruction allows for the possibility of a segment override. 
The XLAT instruction uses the contents of the BX register even if they differ from the 
offset of the operand. The offset of the operand should have been moved into the BX or 
EBX register with a previous instruction. 


_ The no-operand form, the XLATB instruction, can be used if the BX or EBX table will 
always reside in the DS segment. 


Flags Affected 


None. 


Protected Mode Exceptions 


#GP(0) for an illegal memory operand effective address in the CS, DS, ES, FS, or GS 
segments; #SS(0) for an illegal address in the SS segment; #PF(fault-code) for a page 
fault; #AC for unaligned memory reference if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space 
from 0 to OFFFFH. 
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Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault- -code) for a page fault; #AC for 
unaligned memory reference. if ine current privilege level is 3. i - 
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XOR — Logical Exclusive OR 


Opcode Instruction _ Clocks Description 


34 ib XOR AL,imm8 Exclusive-OR immediate byte to AL 

35 iw XOR AX,imm16 Exclusive-OR immediate word to AX 

35 id XOR EAX,imm32 Exclusive-OR immediate dword to EAX 

80 /6 ib XOR r/m8,imm8s Exclusive-OR immediate byte to r/m byte 

81 /6 iw XOR r/m16,imm16 Exclusive-OR immediate word to r/m word 

81 /6 id XOR 1r/m32,imm32 Exclusive-OR immediate dword to r/m dword 

83 /6 ib XOR r/m16,imm8s XOR sign-extended immediate byte with r/m word 


83 /6 ib XOR r/m32,imm8 XOR sign-extended immediate byte with r/m dword 
30 /r XOR r/m68,r8 Exclusive-OR byte register to r/m byte 

31 /r XOR r/m16,r16 Exclusive-OR word register to r/m word 

31 /r XOR 1/m32,r32 Exclusive-OR dword register to r/m dword 

32 /r . XOR r8,r/m8& Exclusive-OR byte register to r/m byte 

33 /r XOR r16,r/m16 Exclusive-OR word register to r/m word 

33 /r XOR 132,r/m32 Exclusive-OR dword register to r/m dword 


Operation 


DEST < LeftSRC XOR RightSRC 
CF <0 
OF <— 0 


Description 


The XOR instruction computes the exclusive OR of the two operands. Each bit of the 
result is 1 if the corresponding bits of the operands are different; each bit is 0 if the 
corresponding bits are:the same. The answer replaces the first operand. 


Flags Affected 


The CF and OF flags are cleared; the SF, ZF, and PF flags are set according to the 
result; the AF flag is undefined. 


Protected Mode Exceptions 


#GP(0) if the result is in a nonwritable segment; #GP(0) for an illegal memory operand 
effective address in the CS, DS, ES, FS, or GS segments; #SS(0) for an illegal address in 
the SS segment; #PF(fault-code) for a page fault; #AC for unaligned memory reference 
if the current privilege level is 3. 


Real Address Mode Exceptions 


Interrupt 13 if any part of the operand would lie outside of the effective address space - 
from 0 to OFFFFH. | 
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Virtual 8086 Mode Exceptions 


Same exceptions as in Real Address Mode; #PF(fault- code) for a page fault; #AC for 
unaligned memonyrt reference. if the current privilege level is 3. | 
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Opcode Map A 


APPENDIX A 
OPCODE MAP 


The opcode tables that follow aid in interpreting Intel486 processor object code. Use 
the high-order four bits of the opcode ‘as an index to a row of the opcode table; use the _ 
low-order four bits as an index to a column of the table. If the opcode is OFH, refer to 
the two-byte opcode table and use the second byte of the opcode to index the rows and © 
columns of that table. 


A.1 KEY TO ABBREVIATIONS 


Operands are identified by a two-character code of the form Zz. The first character, an 
uppercase letter, specifies the addressing method; the second character, a lowercase 
letter, specifies the type of operand. 


A.2 CODES FOR ADDRESSING METHOD 


A 


Direct address; the instruction has no modR/M byte; the address of the operand is 
encoded in the instruction; no base register, index register, or scaling factor can be 
applied; e.g., far JMP (EA). 


The reg field of the modR/M byte selects a control register; e.g, MOV (OF 20, 
OF22). 


The reg field of the modR/M byte selects a debug register; e.g., MOV (0F21,0F23). 
A modR/M byte follows the opcode and specifies the operand. The operand is 
either a general register or a memory address. If it is a memory address, the 
address is computed from a segment register and any of the following values: a 
base register, an index register, a scaling factor, a displacement. 


Flags Register. 
The reg field of the modR/M byte selects a general Seen e.g., ADD (00). 


Immediate data. The value of the operand i is encoded in subsequent bytes of the 


instruction. 


The instruction contains a relative offset to be added to the instruction pointer 
register; e.g., JMP short, LOOP. | 


The modR/M byte may refer only to memory; e.g., BOUND, LES, LDS, LSS, LFS, 
LGS. 


The instruction has no modR/M byte; the offset of the operand is coded as a word 
or double word (depending on address size attribute) in the instruction. No base 
register, index register, or scaling factor can be applied; e.g., MOV (A0-A3). 
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R 


a 


The mod field of the modR/M ee sae refer ed toa Benen register; e.g., MOV 
(OF20-0F 24, 0F26). | | 


The ae field of the modR/M bytes aici a cement nee e.2., MOV (8C, SE). 


The’ Teg field of me modR/M me selects a \ test t register; €.8.; MOV (OF 24, 0F26). 


~ ‘Memory sdcnesses by the DS:ST register pair; e.g., MOVS, comps, outs, 
-LODS. 


Memory addressed by the ES:DI register pair; e. +B MOVS, CMPs, INS, STOS, 
SCAS. 


-A.3 CODES FOR OPERAND TYPE — 


Two one-word operands in memory or two double-word operands in memory, 
depending on operand size attribute (used only by BOUND). 


__ Byte (regardless of operand size attribute) 
‘Byte or word, depending on operand size attribute, 


| Double word Urgares of operand size ert), 


Thirty-two bit or 48-bit pointer, sensuaiis on operand Size ataibute. 


Six-byte pseudo- -descriptor 


Word or double word, depending on operand size attribute. — 


~ Word (regardless of operand size attribute) 


A.4 REGISTER CODES 


When. an operand isa specific register encoded in the opcode, the register is identified 
by its name; e.g., AX, CL, or ESI. The name of the register indicates whether the 
register ‘is 324, 16-, or 8-bits wide. A register identifier of the form eXX is used when the 
width of the register depends on the operand size attribute; for example, eAX indicates 
that the AX register is used when the operand size attribute i iS ‘16 se ne EAX os 
is used-when the operand size attribute is 32. 
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intel . OPCODE MAP 


One-Byte Opcode Map 


a 
peta ete 


“INC Sara register 


BR Se A ES Sa DS 


PUSH — aa 


~ Short- ory jump c on n condition (Jb) Se 
ie NE 


acter star werent 


~ XCHG word ¢ or r double-word ‘register with eAX | 


[ocx [ex [ oex | esp | oop [| os | oo 


pt nna eee reer hage ae ttn rt rman te li irene «Reid eons meer! be ets aap Ss 


nee a movsB | movsw/p | cmpsB | CMPSW/D 
_AL,Ob_ Ob, AL Xb, Yb Xv, Yv Xb, Yb Xv, Yv 


MOV. immediate byte into byte register _ 


es a oe GvMip | GvMp |" epi [Evy 


oy snares Varo anne monn ae = ed ee eee 


~ Shift Grp2 
repeat [ol 


oe ies cheney ner ran atinene i otal item ar Ni eeeees te -eemret eter tame ieee: Seprtwariesnar ye tltdine WA haere leh eyes 1 wh bats CANE en at Mma 


LOOPNE. "LOPE LooP = JOXz SL A LRA OR 


OPCODE MAP 


One-Byte Opcode Map 


, E F 
Rt push | byte 
SBB 


0 
7 PUSH POP 
2 
3 
| , | 
2H | POP into general register 
~~ Leax [ex | ex | esx | esp | cep [| est fo 
6 | PUSH IMUL PUSH IMUL INSB INSW/D OUTSB OUTSW/D 

_Wv | GvEviv | Ib tb | GvEvib Yb, DX Yv, DX _DX, XO _DX, Xv 
si ~~ Short-displacemen -displacement j jump on ‘condition (Jb) 

eee ee 
: er mov | wea | mov | pop 
9 | SAKE 
| | oe ae 
B 
a 
C LEAVE = INTO IRET 
D ESC (Escape to coprocessor instruction set) 
ge | cau — Se A A HN 
F | INC/DEC “INC/DEC 
iil cae Reclice 


intal ° OPCODE MAP. 


Two-Byte Opcode Map (first byte is OFH) 


MOV MOV MOV MOV 
Eb,Gb Gv,Ev Gb,Eb | Ev,Gv 
MOV. MOV MOV MOV. | MOV MOV 
Rd,Cd Rd,Dd Cd,Rd | Dd, Rd | Rd,Td Td,Rd 


Long-displacement jump on condition (Jv 


| __bong-dispiacement jump on condition v) 
EN Sa a 


Byte Set on condition (Eb) 


SETO SETNO | SETB | SETNB | SETZ | SETNZ SETBE SETNBE 
A step A step 
PUSH POP BT SHLD SHLD 
‘FS FS Ev,G@v | EvGvib | EvGvCL CMPXCHG CMPXCHG 
XBTS IBTS 
7 | CMPXCHG CMPXCHG LSs BTR LFS Les. MOVZX 
XADD XADD- , 
Eb,Gb Ev.Gv 


tal : OPCODE MAP 


Two-Byte Opcode Map (first byte is OFH) 


~ Long-displacement jump on condition (Jv) 


re oe 
a a 


SETNLE 


SETS SETNS_ SETP SETNP ‘SETL — SETNL SETLE 
PUSH POP “BTS ~SHRD- ~SHRD “MUL I) 
GS Gs Ev,Gv _EvGvib ines wd Ev |. 
Gr 8 BTC BSF BSR _ MOVSX 
BSWAP BSWAP BSWAP BSWAP- BSWAP BSWAP_ “BSWAP “BSWAP 
EAX ECX EDX EBX Or EBP ESI EDI 


intel. OPCODE MAP 


Opcodes determined by bits 5,4,3 of modR/M byte: 


TEST TEST ~ MUL IMUL DIV IDIV 
Ib/lv Ib/Iv AL/eAX AL/eAX AL/eAX AL/eAX © 
| INC DEC 
| Eb Eb 
INC DEC CALL CALL JMP “JMP =| PUSH 
Ev Ev Ev Ep . Ev Ep Ev 


Opcodes determined by bits 5,4,3 of modR/M byte: 


supt | STR Ltot | LTR VERR VERW_ 
. Ew Ew Ew Ew Ew 
‘SGT siot | uot | ur | ssw aE: LMSW | IVLPG. 
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APPENDIX B 
FLAG CROSS-REFERENCE — 


B.1 KEY TO CODES 


instruction tests flag | 

instruction modifies flag (either sets or resets depending on operands) 
instruction resets flag 

instruction sets flag | 

instruction’s effect on flag is undefined 

instruction restores prior value of flag 

instruction does not affect flag 


lou we tw Wo ueou 


ZS=1 Zz! 
=< £==5=21 S21 


BT/BTS/BTR/BTC 
CALL 
CBW 
CLC 
CLD 
CLI 
CLTS 
CMC 
CMP 
CMPS 
CMPXCHG 
CWD 
DAA 
DAS 
DEC 
DIV 
ENTER 
ESC. 
HLT 
IDIV | 
IMUL 
IN 
INC 
INS 
INT . 

— INTO © 
INVD 
INVLPG 


| sss S885 
|sss S885 
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~ LDS/LES/LSS/LFS/LGS °° 
LEA 

LEAVE : ae 
LGDT/LIDT/LLDT/LMSW 
LOCK 

LODS 

LOOP 
LOOPE/LOOPNE 
_LSL. mer 
LTR 

~MOV_ 

MOV control, debug 
_MOVS — ie 
MOVSX/MOVZX 

MUL 

NEG: 

NOP: 

NOT. 

OR | 

OUT 

OUTS 

~ POP/POPA 

POPF 

, PUSH/PUSHA/PUSHF 
RCL/RCR 1. 
RCL/RCR count 
REP/REPE/REPNE 
RET - 
ROL/ROR 1 
ROL/ROR count 
SAHF 
SAL/SAR/SHL/SHR 1 
SAL/SAR/SHL/SHR count 
SBB : 

SCAS 

SET cond | 
SGDT/SIDT/SLDT/SMSW 
SHLD/SHRD 

STC. 

STD 

STI 

STOS 

STR 

SUB : 

TEST 
VERR/VERRW 

WAIT 

~ WBINVD 

XADD_ - 

XCHG 

XLAT 

XOR- 


S ASSS=s0 

= of SSE 

= oSSS220 
aie ae as, : 
75 oAsS2sSs0S= 


B-2 


Status Flag Summary — C 


APPENDIX C 
STATUS FLAG SUMMARY 


C.1 STATUS FLAGS’ FUNCTIONS 


Carry Flag—Set on high-order bit carry or borrow; cleared otherwise. 


Parity Flag —Set if low-order eight bits of result contain an even number 
of 1 bits; cleared otherwise. 


Adjust Flag—Set on carry from or borrow to the low order four bits of. 
AL; cleared otherwise. Used for decimal arithmetic. 


Zero Flag — Set if result is zero; cleared otherwise. 


Sign Flag—Set equal to high- -order bit of result (0 is positive, 1 it 
negative). | 


Overflow Flag — Set if result is too large a positive number or too small a 
negative number (excluding sign-bit) to fit in destination operand; 
cleared otherwise. 


instruction tests flag 


instruction modifies flag 
(either sets or resets depending on operands) 


instruction resets flag 


instruction’s effect on flag is undefined 


instruction does not affect flag 


| intel. STATUS FLAG SUMMARY 


‘CMPXCHG 


SCAS 
NEG 


DEC 
INC 


z= sezzz]| 


IMUL ~ 
MUL 


<< 


RCL/RCR 1 
RCL/RCR count: 
ROL/ROR 1 

‘ ROL/ROR count 
SAL/SAR/SHL/SHR 1 : 
SAL/SAR/SHL/SHR count | 


ISL] Se :2e Sses= 


SHLD/SHRD 
BSF/BSR — 
BT/BTS/BTR/BTC — 


Zli=z 222222 


LSS .s5 . 


AND 
OR 
TEST 
XOR 


Sse 
2000 
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APPENDIX D 
CONDITION CODES 


Note: The terms “above” and “below” refer to the relation between two unsigned values 
(neither the SF flag nor the OF flag is tested). The terms “greater” and “less” refer to 
the relation between two signed values (the SF and OF flags are tested). 


D.1 DEFINITION OF CONDITIONS 


(For conditional instructions Jcond, and SETcond) 


instruction | a 
OF = 1 


Below 3 
NB Not below | ) 
Above or equal ee 


E Equal 
NE Not equal 
BE Below or equal _ 
Neither below nor equal 0111 (CF or ZF) = 0 
Above 
SF = 1 


NBE 
A 


Parity even | 
NP No parity i 
L Less ca 5 
Neither greater nor equal 1100 (SF xor OF) = 1 
NL Not less ; 
LE Less or equal ; 
NLE Neither less nor equal - 
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Timing 


APPENDIX E 
INSTRUCTION FORMAT AND TIMING 


This appendix is an excerpt from the Intel486™ Processor Data Sheet. 
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10.0 INSTRUCTION SET SUMMARY — 


This section describes the Intel486 microprocessor 
instruction set. Tables 10.1 through 10.3 list all in- 


structions along with instruction encoding diagrams — 


and clock counts. Further details of the instruction 
encoding are then provided in Section 10.2, which 
completely describes the encoding structure and the 
definition of all fields occurring within the Intel486 
microprocessor instructions. 

10.1 Intel486™ Microprocessor 

- Instruction Encoding and Clock 

Count Summary 


To calculate elapsed time for an instruction, multiply 
the instruction clock count, as listed in Tables 10.1 
through 10.3 by the processor clock period (e.g., 
40 ns for a 25 MHz Intel486 microprocessor). 


For more detailed information on the encodings of 
instructions, refer to Section 10.2 Instruction Encod- 
ings. Section 10.2 explains the general structure of 
instruction encodings, and defines exactly the en- 
codings of all fields contained within the instruction. 


INSTRUCTION CLOCK COUNT ASSUMPTIONS 


The Intel486 microprocessor instruction clock count 


tables give clock counts assuming data and instruc- 


tion accesses hit in the cache. A separate penalty 
column defines clocks to add if a data access miss- 
es in the cache. The combined instruction and data 
cache hit rate is over 90%. 


A cache miss will force the Intel486 microprocessor 
to run an external bus cycle. The Intel486 microproc- 
essor 32-bit burst bus is defined as r—b-—w. 


Where: 


r = The number of clocks in the first cycle of a 
burst read or the number of clocks per data 
cycle in a non-burst read. 


b = The number of clocks for the second and sub- 
sequent cycles in a burst read. 


w = The number of clocks for a write. 


The fastest bus the Intel486 microprocessor can 
support is 2—1—2 assuming 0 wait states. The 
clock counts in the cache miss penalty column as- 
sume a 2—1-—2 bus. For slower busses add r—2 
clocks to the cache miss penalty for the first dword 
accessed. Other factors also affect instruction clock 
counts. 


Instruction Clock Count Assumptions 


1. The external bus is available for reads or writes 
at all times. Else add clocks to reads until the 
bus is available. 
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INSTRUCTION FORMAT AND TIMING 


Accesses are aligned. Add three clocks to each. 


~ misaligned access. ___ 7 
. Cache fills complete before subsequent access- 


es to the same line. If a read misses the cache 


_ during a cache fill due to a previous read or pre- 


10. 


11. 


12. 


fetch, the read must wait for the cache fill to 
complete. If a read or write accesses a cache 
line still being filled, it must wait for the fill to 
complete. 


. If an effective address is calculated, the base 


register is not the destination register of the pre- 
ceding instruction. If the base register is the 
destination register of the preceding instruction 
add 1 to the clock counts shown. Back-to-back 
PUSH and POP instructions are not affected by 
this rule. 


. An effective address calculation uses one base 


register and does not use an index register. 
However, if the effective address calculation 
uses an index register, 1 clock may be added to 
the clock count shown. 


. The target of a jump is in the cache. If not, add r 


clocks for accessing the destination instruction 
of a jump. If the destination instruction is not 
completely contained in the first dword read, 
add a maximum of 3b clocks. If the destination 
instruction is not completely contained in the 
first 16 byte burst, add a maximum of another 
r+ 3b clocks. 


. If no write buffer delay, w clocks are added only 


in the case in which all write buffers are full. 
Typically, this case rarely occurs. 


. Displacement and immediate not used together. 


If displacement and immediate used together, 1 
clock may be added to the clock count shown. 


. No invalidate cycles. Add a delay of 1 clock for 


each invalidate cycle if the invalidate cycle con- | 
tends for the internal cache/external bus when 
the Intel486 CPU needs to use it. 


Page translation hits in TLB. A TLB miss will add 
13, 21 or 28 clocks to the instruction depending 
on whether the Accessed and/or Dirty bit in nei- 
ther, one or both of the page entries needs to 
be set in memory. This assumes that neither 
page entry is in the data cache and a page fault 
does not occur on the address translation. 


No exceptions are detected. during instruction 
execution. Refer to Interrupt Clock Counts Ta- 
ble for extra clocks if an interrupt is detected. 


Instructions that read multiple consecutive data 
items (i.e. task switch, POPA, etc.) and miss the 
cache are assumed to start the first access on a 
16-byte boundary. If not, an extra cache line fill 
may be necessary which may add up to (r+ 3b) 
clocks to the cache miss penalty. 
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Table 10.1. Intel486™ Microprocessor Integer Clock Count Summary 


Penalty if 
INSTRUCTION FORMAT Cache Hit Cache Miss 


INTEGER OPERATIONS 
MOV = Move: 


regi to reg2 1000100W 1/11 regi reg2 


reg2 to reg1 1000101w j11 regi reg2 
memory to reg 1000101w |mod reg r/m 


reg to memory 1000100w |mod reg r/m 


Immediate to reg 11000 reg] immediate data 


or 1011w reg immediate data 


displacement 
immediate 


Immediate to Memory 1100011w {mod 000 fr/m 


Memory to Accumulator 1010000w | full displacement 


Accumulator to Memory 1010001w | full displacement 


1011z11Ww {11 regi reg2 
1otizitw 


MOVSX/MOVZX = Move with Sign/Zero Extension 
reg2 to reg1 00001111 


memory to reg 00001111 


z___ instruction 


0 MOVZX 
1 MOVSX 


PUSH = Push 
reg 11111111 1/11 110 reg 


or 01010 reg 


mod 110 r/m 


memory 11111111 
immediate 011010s0 | immediate data 
PUSHA = Push All 01100000 


POP = Pop 
reg 10001111 4111 000 reg 


or , 01011 reg 


memory 10001111 |mod 000 r/m 


POPA = Pop All 01100001 


XCHG = Exchange 
regi with reg2 : 1000011wWw ]11 regi reg2 


Accumulator with reg 10010 reg 


Memory with reg 1000011w 


NOP = No Operation 10010000 


LEA = Load EA to Register 10001101 


no index register 
with index register 
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Table 10.1. Intel486™ Microprocessor Integer Clock Count Summary (Continued) 


aye _ Penalty If 
INSTRUCTION — ee FORMAT — | | Cache Hit | Cache Miss 


INTEGER OPERATIONS (Continued) 


Instruction 


ADD = Add 

ADC = Add with Carry 

AND = Logical AND 

OR = Logical OR 

SUB = Subtract. 101 
SBB = Subtract with Borrow 011 
XOR = Logical Exclusive OR 110 


regt to reg2 OOTTTOOWw | 11 


~y 
® 

© 
= 
= 

a 
~ 


reg2 to reg! OOTTTOIws11 regi reg2 


memory to register OOTTTO1w |mod reg r/m 


register to memory OOTTTOOW | mod reg r/m 


immediate to register 100000sw |11 TTT _ reg} immediate register 


immediate to accumulator OOTTT10w | immediatedata .. 


immediate to memory 100000sw | mod TTT. r/m} immediate data 


instruction 


INC = Increment 
DEC = Decrement 


reg Xs 1111111w/11 TTT reg 


oOo & 
“~ Oo 


or _ | O1TTT reg 


1111111w | mod TTT r/m 


Instruction 


NOT = Logical Complement 
NEG = Negate 


reg 1111011w]11 TTT reg 


fi 


memory | 1111011w jmod TTT r/m 


CMP = Compare 
reg with reg2 0011100w |/11 regi reg2 


ss 
—_ 


reg2 with reg1 0011101w 111 = regl reg2 


memory with register 0011100w [mod reg r/m 


register with memory | 0011101w | mod reg r/m 


immediate with register 100000sw |11 111 reg] immediate data 


immediate withacc. 0011110w | immediate data 


immediate with memory 100000sw |mod 111 r/m immediate data 


TEST = Logical Compare 


regi and reg2 ; 1000010w /11 regi reg2] 


memory andregister  . {| 1000010w {mod reg r/m 


immediate and register 1111011w 1114 000 reg | immediate data 


immediate and acc. 1010100w | immediate data 


immediate and memory mod 000 r/m| immediate data 
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Table 10.1. Intel486™ Microprocessor Integer Clock Count Summary (Continued) 


Penalty If 
FORMAT Cache Hit Cacho Miss 


INSTRUCTION 


INTEGER OPERATIONS (Continued) 


MUL = Multiply (unsigned) 


acc. with register 1111011w411 100 reg 


7 


Multiplier-Byte MN/MX, 3 
Word MN/MX, 3 
Dword MN/MX, 3 

acc. with memory 1111011w | mod 100 r/m 
Multiplier-Byte MN/MX, 3 
Word MN/MX, 3 
Dword MN/MxX, 3 


IMUL = Integer Multiply (signed) 


acc. with register 11 #101 = reg 
Multiplier-Byte MN/MX, 3 
Word MN/Mx, 3 
Dword MN/MX, 3 
ace. with memory 
Multiplier-Byte -MN/MX, 3 
Word MN/MX, 3 
Dword MN/MX, 3 
regi with reg2 00001111 | 10101111 111 regi reg2 
Multiplier-Byte MN/MX, 3 
Word MN/MxX, 3 
Dword MN/MX, 3 
register with memory mod reg r/m 
Multiplier-Byte MN/Mx, 3 
Word MN/MX, 3 
Dword MN/MxX, 3 . 
regi with imm. to reg2 011010s1 111 regi reg2] immediate data 
Multiplier-Byte MN/Mx, 3 
Word MN/MxX, 3 
Dword MN/MX, 3 
mem. with imm. to reg. 011010s1 |mod reg r/m| immediate data 
Multiplier-Byte MN/MX, 3 
Word MN/MxX, 3 
Dword MN/MX, 3 
DIV = Divide (unsigned) 
acc. by register 1111011w]11 110 reg 
Divisor-Byte 
Word 
Dword 
acc. by memory 1111011w }|mod 110 r/m 
Divisor-Byte 
Word 
Dword 


IDIV = Integer Divide (signed) 


acc. by register 1111011wj11t1 111 ~= reg 


Divisor-Byte 
Word 
Dword 
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Table 10.1. Intel486™ Microprocessor Integer Clock Count Summary (Continued) 


INSTRUCTION FORMAT ; cache Hit | Penalty it 
Cache Miss 


INTEGER OPERATIONS (Continued) . 


acc. by memory 1111011w]mod111r/m 


Divisor-Byte 
Word 
Dword 


|| CBW/CWDE = Convert Byte to Word/ 
Convert Word to Dword 10011000 


CWD/CDQ = Convert Word to Dword/ 


Convert Dword to 10011001 


Quadword 


Instruction . 


ROL = Rotate Left 000 
ROR = Rotate Right 001 
RCL = Rotate through Carry Left 010 
RCR = Rotate through Carry Right _ 011 
SHL/SAL = Shift Logical/Arithmetic Left 100 
SHR = Shift Logical Right 101 
SAR = Shift Arithmetic Right 111 


Not Through Carry (ROL, ROR, SAL, SAR, SHL, and SHR) 
reg by 1 . 1101000w |11 TTT reg 


memory by 1 1101000w | mod TTT r/m 


reg by CL | 110100iw |11 TTT reg 


mod TTT r/m 


memory by CL 1101001w 


reg by immediate count 1100000w |11 TTT _ reg} immediate 8-bit data 


mem by immediate count . 1100000w | mod TTT r/m| immediate 8-bit data 


Through Carry (RCL and RCR) 
reg by 1 - 1101000w 1/11 TTT reg 


memory by 1 1101000w |mod TTT r/m 


reg by CL | 1101001w {11 TTT reg ; MN/MX, 4 


memory by CL . | 1101001w |mod TTT r/m . MN/MX, 5 


| reg by immediate count 1100000w |11 TTT reg] immediate 8-bit data MN/MX, 4 


mem by immediate count 1100000w | mod TTT r/m| immediate 8-bit data MN/MX, 5 


‘Instruction 


SHLD = Shift Left Double 
SHRD = Shift Right Double 


register with immediate . imm 8-bit data 
memory by immediate imm 8-bit data 
register by CL | 
memory by CL mod reg r/m 

| BSWAP = Byte Swap 


| XADD = Exchange and Add 
regt, reg2 11  reg2 regi 


memory, reg . mod reg r/m 


CMPXCHG = Compare and Exchange 
regi, reg2 11° reg2 regi 


memory, reg mod reg. r/m 
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INSTRUCTION 


Table 10.1. Intel486™ Microprocessor Integer Clock Count Summary (Continued) 7 


FORMAT 


CONTROL TRANSFER (within segment) 


NOTE: Times are jump taken/not taken 


Jccc = Jump onccc 


8-bit displacement O11itttn 


full displacement 00001111 


NOTE: Times are jump taken/not taken 


SETcccc = Set Byte on cccc (Times aro cccc true/false) 


reg 


memory 


Mnemonic 
cccc: 


P/PE 
“NP/PO 
L/NGE 
NL/GE 
LE/NG 
NLE/G 


00001111 


00001111 


Condition 


Overflow 

No Overfiow 

Below/Not Above or Equal 

Not Below/Above or Equal 
Equal/Zero 

Not Equal/Not Zero 

Below or Equal/Not Above 

Not Below or Equal/Above 

Sign 

Not Sign 

Parity/Parity Even 

Not Parity/Parity Odd 

Less Than/Not Greater or Equal 
Not Less Than/Greater or Equal 
Less Than or Equal/Greater Than 
Not Less Than or Equal/Greater Than 


LOOP = LOOP CX Times 11100010 


LOOPZ/ LOOPE 


8-bit disp. 


1001tttn 


1001tttn 


0000 
0001 
0010 
0011 
0100 


0101 


0110 
0111 
1000 
1001 
1010 
1011 
1100 


1101 . 


1110 
1111 


8-bit disp. 


full displacement 


11 000 reg 


mod 000 r/m 


= Loop with 11100001 
Zero/Equal 


LOOPNZ/LOOPNE = Loop while 11100000 


JCXZ = Jump on CX Zoro 


JECXZ = Jump 


Not Zero 


on ECX Zero 


(Address Size Prefix Differentiates JCXZ for JECXZ) 


JMP = Uncondi 
Short 


Direct 


tlonal Jump (within segment) 


11101001 


Register Indirect 11111111 


Memory Indirect 11111111 


CALL = Call (within segment) 


Direct 


11101000 


Register Indirect 11111111 


Memory Indirect 11111111 


RET = Return from CALL (within segment) 


Adding Immedi 


11 


11 010 fe 


11000011 


ate to SP 11000010 


8-bit disp. | 


8-bit disp. 


8-bit disp. | 


8-bit disp. 


8-bit disp. 


full displacement 


100 reg 


16-bit disp. 


mod 100 r/m 


full displacement — 


g 


mod 010 r/m 
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T/NT, 23 


T/NT, 23 


L/NL, 23 


L/NL, 23 
L/NL, 23 


T/NT, 23 


T/NT, 23 
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Table 10.1. Intel486™ Microprocessor Integer Clock Count Summary (Continued) 


Penalty if 
INSTRUCTION 3 FORMAT CacheHit | - ory 
Cache Miss 
| CONTROL TRANSFER (within segment) (Continued) - as 


ENTER = Enter Procedure 11001000 /|16-bitdisp., 8-bitleve 


Level = 0 
Level = 1 
Level (L) > 1 


LEAVE = Leave Procedure 11001001 


MULTIPLE-SEGMENT INSTRUCTIONS 
| MOV = Move 


reg. to segment reg. 10001110 |11 sreg3 reg 


memory tosegmentreg. . 10001110 | mod sreg3 r/m 


segment reg. to reg. 10001100 |11 sreg3 reg 


segment reg. to memory 10001100 | mod sreg3 r/m 


| 


PUSH = Push 


segment reg. | 000sreg2110 
(ES, CS, SS, or DS) 


segment reg. (FS or GS) 00001111 110 sreg3000 


POP = Pop 


segment reg. 000sreg2111 
(ES, SS, or DS) 


RV/P, 9 


segment reg. (FS or GS) 00001111 110 sreg3001 ; RV/P,9 | 


LDS = Load Pointer to DS 11000101 | mod reg r/m : | RV/P,9 © 


LES = Load Pointer to ES 11000100 |mod reg r/m ~ RV/P,9 - 


10110100 |mod reg _t/mj. x | RwP,9 


LGS = Load Pointer to GS 00001111 10110101 |mod reg r/m “| RV/P,9 


10110010 | | Av/P,9 


LFS = Load Pointer to FS 00001111 


LSS = Load Pointer to SS 00001111 


CALL = Call 
Direct intersegment . 10011010 | unsigned full offset, selector | . R, 7, 22 


to same level - _ . P,9 
thru Gate to same level a . c P,9 

to inner level, no parameters 3 wp, P,9 

to inner level, x parameter (d) words P,11,9 | 
to TSS ; P, 10,9 
thru Task Gate : . P, 10,9 


Indirect intersegment 411111111 |mod 011 r/m . . R,7 


to same level | .* - 8 | P,9 

thru Gate to same level 7 on . , P,9 

to inner level, no parameters a Me P,9 

to inner level, x parameter (d) words . P,11,9 

to TSS P, 10,9 | 

thru Task Gate . 7 | _ | P, 10,9 
RET = Return from CALL . ; 


intersegment 


R, 7 


to same level ee 
to outer level - - P,9 


intersegment adding 11001010 16-bit disp. 


imm. to SP _ | 7 R,7 
to same level ee 9 | .. P89 
to outer level vid 
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Table 10.1. Intel486™ Microprocessor Integer Clock Count Summary (Continued) 


INSTRUCTION 


FORMAT 


MULTIPLE-SEGMENT INSTRUCTIONS (Continued) 


JMP = Unconditional Jump 
Direct intersegment 


to same level 

thru Call Gate to same level 
thru TSS 

thru Task Gate 


Indirect intersegment 


to same level 

thru Call Gate to same level 
thru TSS 

thru Task Gate 


BIT MANIPULATION 
BT = Test bit 


register, immediate 
memory, immediate 
regi, reg2 

memory, reg 


Instruction 


BTS = Test Bit and Set 
BTR = Test Bit and Reset 
BTC = Test Bit and Compliment 


register, immediate 


memory, immediate 
regi, reg2 
memory, reg 


BSF = Scan Bit Forward 
regi, reg2 


memory, reg 


BSR = Scan Bit Reverse 
regi, reg2 


memory, reg 
STRING INSTRUCTIONS 
CMPS = Compare Byte Word 


LODS = Load Byte/Word 
to AL/AX/EAX 


MOVS = Move Byte/Word 
| SCAS = Scan Byte/Word 


STOS = Store Byte/Word 
from AL/AX/EX 


XLAT = Translate String 


11101010 


117111111 


00001111 


00001111 


00001111 


00001111 


101 
110 
111 


00001111 


00001111 


00001111 


mod 101 r/m 


Ponalty if 
Cache Miss 


unsigned full offset, selector. R, 7, 22 


P;9 
P,9 
P,10,9 - 
P, 10,9 
R,7,9 
P,9 
P,9 
P, 10,9 
P, 10,9 


10111010 711 100° reg} imm. 8-bit data 


10111010 | mod 100 r/m| imm. 8-bit data 
10100011 11  reg2 regi 
10100011 |mod reg r/m 


10111010 }11 TTT _ reg] imm. 8-bit data 


10111010 | mod TTT = r/m| imm. 8-bit data U/L 


10TTTO11 [11 reg2 regi 


00001111 


00001111 


00001111 


00001111 


00001111 


1010011w 


1010010w 


1010111W 


1010101WwW 


11010111 


10TTTO11 | mod 


reg r/m U/L 


10111100 |11  reg2 regi MN/MX, 12 | 


10111100 | mod 


reg) r/m MN/MX, 13 


10111101 /11  reg2 regi MN/MX, 14 
mod reg r/m MN/MxX, 15 
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Table 10.1. Intel486™ Microprocessor Integer Clock Count Summary (Continued) 


Penalty if 


INSTRUCTION 


REPEATED STRING INSTRUCTIONS 


me) 
@® 
U 
@ 
et) 
~J 
© 
a 
io” 
< 
2) 
o) 
= 
> 
5 
QO 
x 
°o 
| 
m 
QO 
x< 
fo) 


REPE CMPS = Compare String 
(Find Non-Match) 
C=0 
C>0 


REPNE CMPS = Compare String 
(Find Match) 
C 
C>0 


REP LODS = Load String 
C=0 
C>0 


REP MOVS = Move String 
C=0 
C=1 
Cc>1 


REPE SCAS = Scan String 
(Find Non-AL/AX/EAX) 
C=0 
C>0 


REPNE SCAS = Scan String 
(Find AL/AX/EAX) 
Cc=0 
C>0 


REP STOS = Store String 
C=0 
C>0 


FLAG CONTROL 

CLC = Cloar Carry Flag 

STC = Set un Flag 

CMC = Complement Carry Flag 
CLD = Clear Direction Flag 


STD = Set Direction Flag 


CLI = Clear Interrupt 
Enable Flag 


STt = Set Interrupt 
Enable Flag 


LAHF = Load AH Into Flag 
SAHF = Store AH Into Flags 
PUSHF = Push Flags 

POPF = Pop Flags 
DECIMAL ARITHMETIC 

AAA = ASCIil Adjust for Add 


AAS = ASCII Adjust for 
Subtract 


AAM = ASCII Adjust for 
Multiply 


INSTRUCTION FORMAT AND TIMING 


FORMAT 


Count in CX or ECX) 
11110011 | 1010011Ww 
5 
7+7c 
11110010 | 1010011w 
5 
7+7c 
11110011 | 1010110w 
5 
7+4c 
11110011 | 1010010w 
5 
13 
12+3c 
11110011 | 1010111w 
5 
7+5c 
11110010 | 1010111w. 
5 
7+5c 
11110011 | 1010101w 
5 
7+4c 
11111000 2 
11111001 2 
11110101 2 
11111100 2 
11111101 2 
11111010 5 
11111011 5 
10011111 3 
10011110 2 
10011100 4/3 
10011101 9/6 
00110111 3 
00111111 3 
11010100 | 00001010 15 


E 
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Table 10.1. Intel486™ Microprocessor Integer Clock Count Summary (Continued) 


Penalty If 


DECIMAL ARITHMETIC (Continued) 


AAD = ASCIil Adjust for 
Divide 


00001010 


DAA = Decimal Adjust for Add 00100111 


DAS = Decimal Adjust for Subtract 00101111 


PROCESSOR CONTROL INSTRUCTIONS 


HLT = Halt 11110100 


MOV = Move To and From Control/Debug/Test Registers 


CRO from register 00001111 00100010 {11 000 reg 


CR2/CR3 from register 00001111 00100010 |11 eee reg 
Reg from CRO-3 00001111 00100000 {11 eee reg 
DRO-3 from register 00001111 00100011 |11 eee reg 
DR6-7 from register 00001111 00100011 {11 ees reg | 


Register from DR6-7 00001111 00100001 {11 eee reg 


Register from DRO-3 00001111 00100001 {11 eee reg 


TR3 from register 00001111 00100110 |;11 O11 reg 


TR4-7 from register 00001111 00100110 }11 eee reg 


Register from TR3 00001111 00100100 {11 011 reg 


Register from TR4-7 00001111 00100100 }/11 eee reg 


CLTS = Clear Task Switched Flag 00001111 00000110 
INVD = Invalidate Data Cache 00001111 00001000 


WBINVD = Write-Back and Invalidate; 00001111 00001001 
Data Cache 


INVLPG = Invalidate TLB Entry _ 


INVLPG memory 00001111 00000001 |mod 111 r/m 


PREFIX BYTES 


Address Size Prefix 01100111 
LOCK = Bus Lock Prefix 11110000 
Operand Size Prefix 01100110 


Segment Override Prefix 
CS: 00101110 


DS: 00111110 
ES: 00100110 
FS: 01100100 
Gs. 01100101 


SS: 00110110 
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Table 10.1. Intel486™ Microprocessor Integer Clock Count Summary (Continued) 


. Penaity if | 
Cache Hit Cache Miss 


INSTRUCTION : . HY ods FORMAT 


PROTECTION CONTROL 
ARPL = Adjust Requested Privilege Level 


From register 
From memory 


LAR = Load Access Rights 
From register 11° regi reg2 


From memory mod reg r/m 
LGDT = Load Global Descriptor 

Table register 
LIDT = Load Interrupt Descriptor : 

Table register | mod 011 r/m 


LLDT = Load Local Descriptor 
Table register fromreg. © 11 010 reg 


Table register from mem. 00000000 | mod 010 f/m 


LMSW = Load Machine Status Word 


From register . 11 110.. reg 
From memory | mod 110 t/m 
LSL = Load Segment Limit | i 7 _ 
From register . 11° reg1 reg2 
From memory mod reg r/ 


LTR = Load Task Register 
From Register 11. 011° re 


From Memory 


SGDT = Store Global Descriptor Table 
00001111 mod 000 r/m 


SIDT = Store Interrupt Descriptor Table 
| mod 001 r/m 


SLDT = Store Local Descriptor Table 
To register 11 000 reg 


To memory mod 000 fr/m 


SMSW = Store Machine Status Word 
To register 11 100 reg 


- To memory mod 100 r/m 


STR = Store Task Register 
To register 11 001 reg 


To memory mod 001 r/m 


VERR = Verify Read Access 


Register | 00001111 | 00000000 |11 100 t/m 
Memory a ~1 00001111 | 00000000-| mod 100 r/m 


VERW = Verify Write Access 


To register 00001111 00000000 11 #10 
To memory 00001111 00000000 |mod 101 r/m 


_ 

a 

ie) 
i‘) 
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Table 10.1. Intel486™ Microprocessor Integer Clock Count Summary (Continued) 


Penalty if 
INSTRUCTION . FORMAT Cache Hit Cache Miss Notes 


INTERRUPT INSTRUCTIONS 
INT n = Interrupt Type n INT + 4/0 RV/P, 21 
INT 3 = Interrupt Type 3 INT+0 21 


INTO = Interrupt 4 If 
Overflow Flag Set 
Taken 
Not Taken 


BOUND = Interrupt 5 If Detect 


Value Out Range 


If in range . 7 
If out of range INT +24 


IRET = interrupt Return 11001111 


Real Mode/ Virtual Mode 15 
Protected Mode 
To same level 20 
To outer level 36 
To nested task (EFLAGS.NT = 1) TS +32 


External Interrupt INT+11 
NMI = Non-Maskable interrupt INT+3 
Page Fault ; INT + 24 


VM86 Exceptions _ 
CLI . INT+8 
STI INT+8 
INT n INT+9 
PUSHF INT+9 
POPF INT+8 
IRET : INT+9 
IN _ | 
Fixed Port INT +50 
Variable Port . INT+51 
OUT . hee? 
Fixed Port . . . : = INT + 50 
Variable Port INT +51 
INS INT +50 
OUTS . INT +50 
REP INS INT +51 
REP OUTS INT +51 


Task Switch Clock Counts Table | 


Method Value for TS 
Cache Hit Miss Penalty 


VM/Intel486 CPU/286 TSS To Intel486 CPU TSS 162 
VM/Intel486 CPU/286 TSS To 286 TSS 143 31 
VM/Intel486 CPU/286 TSS To VM TSS 140 37 
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“wa Se Interrupt Clock Counts Table __ 

Method : Value for INT 

, [cache rit | Miss Penalty _ area 
3 =: : 


Real Mode 


Protected Mode 
Interrupt/Trap gate, same level 
Interrupt/Trap gate, different level 


Task Gate © 
Virtual Mode 
Interrupt/Trap gate, different level © 
Task gate 
Abbreviations _—Definition - 
16/32 16/32 bit modes 
U/L unlocked/locked 
-MN/MX minimum/maximum 
~L/NL | loop/no loop 
RV/P ~ real and virtual mode/protected mode 
R real mode 
P . protected mode 
T/NT taken/not taken 
H/NH hit/no hit 
‘NOTES: 


1. Assuming that the operand address and stack address fall in different cache sets. 
2. Always locked, no cache hit case. 
3. Clocks = 10 + max(loga(|m]),n) 
= multiplier value (min clocks for m= 0) 
n = 3/5 for tm 
4. Clocks = {quotient(count/operand length)}*7+9 
8 if count < operand length (8/16/32) 
{quotient(count/operand length)}*7+9 
9 if count < operand length (8/16/32) 
6. Equal/ not equal cases (penalty is the same regardless of lock). 
7. Assuming that addresses for memory read (for indirection), stack push/pop, and branch fall in different cache sets. 
8. Penalty for cache miss: add 6 clocks for every 16 bytes copied to new stack frame. 
9. Add 11 clocks for each unaccessed descriptor load. 
10. Refer to task switch clock counts table for value of TS. 
11. Add 4 extra clocks to the cache miss penalty for each 16 bytes. 
For notes 12-13: (b = 0-3, non-zero byte number); 
(i = 0-1, non-zero nibble number); 
(n = 0- 3, non bit number in nibble); 
12. Clocks = 8+4 (b+1) + 3(i+1) + 3(n+ 1) 
- = 6 if second operand = 0 
9+4(b+1) + 3(+1) + 3(n+1)_ 
= 7 if second operand = 0 
For notes 14-15: (n = bit position 0- aa). 
14. Clocks = 7 + 3(32-—n) © 
6 if second operand = 0 
15. Clocks = 8 + 3(32—n) 
7 if second operand = 0 
16. Assuming that the two string addresses fall in different cache sets. 
17. Cache miss penalty: add 6 clocks for every 16 bytes compared. Entire penalty on first compare. 
18. Cache miss penalty: add 2 clocks for every 16 bytes of data. Entire penalty on first load. 
19. Cache miss penalty: add 4 clocks for every 16 bytes moved. 
(1 clock for the first operation and 3 for the second) 
20. Cache miss penalty: add 4 clocks for every 16 bytes scanned. 
(2 clocks each for first and second operations) 
21. Refer to interrupt clock counts table for value of INT 
22. Clock count includes one clock for using both displacement and immediate. 
23. Refer to assumption 6 in the case of a cache miss. 


_ 5. Clocks 


13. Clocks 
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Table 10.2. Intel486™ Microprocessor I/O Instructions Clock Count Summary 


. Protected | Protected 
INSTRUCTION FORMAT | pri Mode Modo Uineter 
(CPL<IOPL)|(CPL>IOPL) 


1/0 INSTRUCTIONS 


IN = Input from: 
Fixed Port 1110010w 


Variable Port 1110110wW 


OUT = Output to: 
Fixed Port 1110011w| portnumber _ 


Variable Port , 11101114w 


INS = Input Byte/Word 
from DX Port 


OUTS = Output Byte/Word 0110111W 
to'DX Port 


0110110w 
REP OUTS = Output String 11110011] 0110111Ww 


REP INS = Input String 


NOTES: 

1. Two clock cache miss penalty in all cases. 

2. c = count in CX or ECX. | | . 

3. Cache miss penalty in all modes: Add 2 clocks for every 16 bytes. Entire penalty on second operation. 
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Table 10.3. Intel486™ Microprocessor Floating Point Clock Count Summary 


Concurrent 
Penalty if Execution 
Notes 


INSTRUCTION FORMAT | Avg (Lower | Cache Miss | Avg (Lower 
Range... Range... 
Upper Range) Upper Range) 


DATA TRANSFER 
FLD = Real Load to ST(0) 
32-bit memory 


64-bit memory 
80-bit memory 
ST(i) 


FILD = Integer Load to ST(0) 
16-bit memory 14.5(13-16) a 4 


32-bitmemory 11.5(9~12) 4(2-4) 
64-bit memory a 16.8(10-18) |. 7.8(2-8). 
FBLD = BCDLoadtoST(0) ~ 75(70-103) |. 7.7(2-8) - 


FST = Store Real from ST(0) 
32-bit memory 


64-bit memory mod 010 r/m 
ST(i) “111011 1 


FSTP = Store Real from ST(0) and Pop 
32-bit memory 


64-bit memory 
80-bit memory 
ST(i) 


FIST = Store Integer from ST(0) 
16-bit memory | 33.4(29-34) 


32-bit memory 32.4(28-34) 


16-bit memory 33.4(29-34) - 
32-bit memory , 33.4(29-34) 
64-bit memory 33.4(29-34) 


FBSTP = Store BCD from 175(172-176) 
ST(0) and Pop 


FXCH = Exchange ST(0) and ST(i) 
COMPARISON INSTRUCTIONS 


FCOM = Compare ST(0) with Real 
32-bit memory s-i-b/disp. 


64-bit memory 11011 100]mod 010 r/m s-i-b/disp. 


ST(i) 11011 000/11010 ST(i 


FCOMP = Compare ST(0) with Reai and Pop 
32-bit memary 11011 000|mod 011 f/m 


64-bit memory 11011 100 


mod 011 r/m 


ST(i) 11011 000/11011 = ST(i) 
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Table 10.3. Intel486™ Microprocessor Floating Point Clock Count Summary (Continued) 


Concurrent 
Execution 


Avg (Lower Avg (Lower 
Range... Range... 
Upper Range) Upper Range) 


Penalty If 
Cache Miss 


INSTRUCTION FORMAT 


COMPARISON INSTRUCTIONS (Continued) 


FCOMPP = Compare ST(0) with 11011 110 
ST(1) and Pop Twice 
FICOM = Compare ST(0) with Integer 


16-bit memory 11011 110}/mod 010 r/m ‘s-i-b/disp. 


mod 010 r/m 


18(16-20) 


s-i-b/disp. 16.5(15-17) 


32-bit memory 


FICOMP = Compare ST(0) with Integer 
16-bit memory 11011 110]mod 011 r/m s-i-b/disp. 


18(16-20) 


32-bit memory 11011 010 s-i-b/disp. 16.5(15-17) 
FTST = Compare ST(0) with 0.0 11011 001}1110 0100 
FUCOM = Unordered compare 11011 101/11100 STi) 
ST(0) with ST(I) 
FUCOMP = Unordered compare 11011 101/11101 ST(i) 
ST(0) with ST(i) and Pop 


FUCOMPP = Unordered compare 11011 010 
ST(0) with ST(i) and Pop Twice 


FXAM = Examine ST(0) 11011 OO1 

CONSTANTS 

FLDZ = Load +0.0 into ST(0) 1110 1110 
FLD1 = Load + 1.0 into ST(0) : 
FLDPI = Load z Into ST(0) 


FLDL2T = Load log2(10) Into ST(0) 11011 001 
FLDL2E = Load Iog2(e) Into ST(0) 1110 1010 


FLDLG2 = Load logio(2) IntoST(0) }11011 001/1110 1100 


FLDLN2 = Load log,(2) into ST(0) 414011 001 1110 1101 
ARITHMETIC 
FADD = Add Real with ST(0) 
ST(0) <— ST(0) + 32-bit memory 11011 000}]mod 000 ¢/m s-i-b/disp. | - _ 10(8-20) 7(5-17) 


ST(0) <— ST(0) + 64-bit memory 11011  100|mod 000 ¢/m| __ s-i-b/disp. 10(8-20) 7(5-17) 


ST(d) <— ST(0) + ST(i) 11011 d00)11000 = ST(i) 7(5-17) 


10(8-20) 


FADDP = Add real with ST(0) and 10(8-20) " 75-17) 
Pop (ST(I) <— ST(0) + ST(i)) 
FSUB = Subtract real from ST(0) 


ST(0) <— ST(0) — 32-bit memory 11011 000/mod 100 f/m s-i-b/disp. 
~ ST(O) <— ST(0) — 64-bit memory 11011 100]/mod 100 f/m s-i-b/disp. 


11000 STi) 


7(5-17) 


10(8-20) 


10(8-20) 7(5-17) 


ST(d) <— ST(0) — ST(i) 11011 doo 7(5-17) 


1110d ST(i) 10(8-20) 


FSUBP = Subtract real from ST(0) 110117 110/11101 ST] 


and Pop (ST(i) <— ST(0) — ST(I)) 


10(8-20) 7(5-17) 


E 


ar 
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Table 10.3. Intel486™ Microprocessor Floating Point Clock Count Summary (Continued) 


[ce 
Penalty if Execution 
Notes 


INSTRUCTION | FORMAT Avg (Lower | Cache Miss | Avg (Lower 
Range... Range... 
Upper Range) Upper Range) 


ARITHMETIC (Continued) 

FSUBR = Subtract real reversed (Subtract ST(0) from real) 
ST(0) <— 32-bit memory — ST(0) 10(8-20) 
ST(0) <— 64-bit memory — ST(0) 10(8-20) 


- ST(d) <— ST(i) — ST(0) ; 10(8-20) - 
FSUBRP = Subtract real reversed 1 406-20) 
and Pop (ST(i) <— ST(i) — ST(0)) 
FMUL = Multiply real with ST(0) 
ST(0) < ST(0) < 32-bit memory s-i-b/disp. 
ST(0) <— ST(0) < 64-bit memory ' §-i-b/disp. 
ST(d) <— ST(0) x ST(i) 


FMULP = Multiply ST(0) with ST(I) 
and Pop (ST(I) <— ST(0) < ST(i)) 
FDIV = Divide ST(0) by Real 
ST(0) <— ST(0)/32-bit memory s-i-b/disp. 


ST(0) <— ST(0)/64-bit memory s-i-b/disp. 
ST(d) <— ST(0)/ST(i) 


FDIVP = Divide ST(0) by ST(i) and 
Pop (ST(I) <— ST(0)/ST(i)) 
'|FDIVR = Divide real reversed (Real/ST(0)) 
ST(0) <— 32-bit memory/ST(0) 11011 -000 


ST(0) <— 64-bit memory/ST(0) 11011 100)mod 111 r/m s-i-b/disp. 


ST(d) <— ST(i)/ST(0) 11011 dO0O};1111d ST(i) 
FDIVRP = Divide real reversed and 11011 1107311110 #ST(i) 
Pop (ST(I) <- ST(I)/ST(0)) 

FIADD = Add Integer to ST(0) ? 
ST(0) <— ST(0) + 16-bit memory 411071 110}mod 000 r/m s-i-b/disp. 24(20-35) 


ST(0) <— ST(0) + 32-bit memory 11011 010]mod 000 r/m s-i-b/disp. 22.5(19-32) 


FISUB = Subtract Integer from ST(0) 
ST(0) <— ST(0) — 16-bit memory 11011 110 


mod 100 r/m s-i-b/disp. 24(20-35) 


ST(0) <— ST(0) — 32-bit memory 11011 010}mod 100 r/m s-i-b/disp. 22.5(19-32) 


FISUBR = Integer Subtract Reversed 


ST(0) <—. 16-bit memory — ST(0) 11011 110}/mod 101 r/m s-i-b/disp. 24(20-35) 


mod +01 r/m 


ST(0) <— 32-bit memory — ST(0) 1101 1 010 s-i-b/disp. 22.5(19-32) 


FIMUL = Multiply integer with ST(0) 
ST(0) < ST(0) < 16-bit memory mod 001 f/m s-i-b/disp. 25(23--27) 


ST(0) <— ST(0) < 32-bit memory mod 001 r/m s-i-b/disp. 23.5(22-24) 


FIDIV = Integer Divide 


ST(0) <- ST(0)/16-bit memory 11011 1410;/mod 110 r/m| _ s-i-b/disp. 87(85-89) 


ST(0) <— ST(0)/32-bit memory mod 110 r/m 


s-i-b/disp. 85.5(84-86) 
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Table 10.3. Intel486™ (Viicroprocessor Floating Point Clock Count Summary (Continued) 


Concurrent 
Execution 
Avg (Lower | Notes 
Range... 
Upper Range) 


Penalty If 
Cache Miss 


INSTRUCTION FORMAT Avg (Lowor 
Range... 


Upper Rango) 


ARITHMETIC (Continued) 
FIDIVR = Integer Divido Reversed 


ST(0) <— 16-bit memory/ST(0) f41011  110]mod 1114 ¢/m 87(85-89) 70 
ST(0) <— 32-bit memory/ST(0) 141041 010{mod 144. ¢/m| 85.5(84-86) 70 
FSQRT = Square Root l144011 0014/1111 1010 85.5(83-87) 70 
FSCALE = Scalo ST(0) by ST(1) 440141 0014/1111 11014] 31(30-32) 2 
FXTRACT = Extract components 19(16-20) 4(2-4) 
of ST(0) , 
FPREM = Partial Rominder 84(70-138) 2(2--8) 
FPREM1 = Partial Reminder (IEEE) 94.5(72-167) 5.5(2-18) 
FRNDINT = Round ST(0) to integer 29.1(21-30) 7.4(2-8) 
FABS = Absolute value of ST(0) 3 
FCHS = Change sign of ST(0) 6 
TRANSCENDENTAL 
FCOS = Cosine of ST(0) . 241(193-279) 2 
FPTAN = Partial tangent of ST(0) 244(200-273) 70 
FPATAN = Partial arctangent 289(218-303) 5(2—-17) 
FSIN = Sino of ST(0). 241(193-279) 2 
FSINCOS = Sine and cosino of ST(0) 291 (243-329) 2 
F2xm1 = 25700) — 4 | 242(140-279) 2 
FYL2X = ST(1) x loga(ST(0)) 311(196-329) 13 
FYL2XP1 = ST(1) X loga(ST(0) + 1.0) 313(171-326) 13 


PROCESSOR CONTROL 


FINIT = Initialize FPU 11011 0117/1110 0011 
FSTSW AX = Store status word 11011 111131110 0000 
into AX 
FSTSW = Store status word 11011 101}mod 111 r/m s-i-b/disp. 
into memory 
FLDCW = Load control word 11011 001}mod 101 f/m s-i-b/disp. 
FSTCW = Store control word 11011 001{mod 111 r/m s-i-b/disp. 


FCLEX = Clear exceptions 11011 011);1110 0010 


FSTENV = Store environment 11011 001})mod 110 r/m s-i-b/disp. 


Real and Virtual modes 16-bit Address 
Real and Virtual modes 32-bit Address 
Protected mode 16-bit Address 
Protected mode 32-bit Address 


FLDENV = Load environment 11011 001{mod 100 r/m 
Real and Virtual modes 16-bit Address 

Real and Virtual modes 32-bit Address 

Protected mode 16-bit Address 

Protected mode 32-bit Address 
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Concurrent 
Penalty if Execution 


INSTRUCTION FORMAT Avg (Lower Cache Miss Avg (Lower .| Notes 
Range... Range... 
Upper Range) Upper Range) 


PROCESSOR CONTROL (Continued) 
FSAVE = Save state 11011 101|mod 110 r/m| sib/disp. | 3 
Real and Virtual modes 16-bit Address 
~ Real and Virtual modes 32-bit Address 
Protected mode 16-bit Address 
Protected mode 32-bit Address ; : 
FRSTOR = Restore state 41011. 101]mod 100 ¢/m | 
Real and Virtual modes 16-bit Address 
Real and Virtual modes 32-bit Address ; 
Protected mode 16-bit Address 7 |. 
Protected mode 32-bit Address 
0011/1111 0111 
FFREE = FreeST(i) _ 11011 101 
FNOP = No operations 11011 O01 . : 
WAIT = Wait until FPU roady 
(Minimum/Maximum) 


NOTES: q 

1. If operand is 0 clock counts = 27. 

2. If operand is 0 clock counts = 28. 

3. If CW.PC indicates 24 bit precision then subtract 38 clocks. 

"If CW.PC indicates 53 bit precision then subtract 11 clocks. 

. If there is a numeric error pending from a previous instruction add 17 clocks. 

. If there is a numeric error pending from a previous instruction add 18 clocks. : 

. The INT pin is polled several times while this instruction is executing to assure short interrupt latency. 
. lf ABS(operand) is greater than 77/4 then add n clocks. Where n = (operand/(7/4)). 


NO A 
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10.2 Instruction Encoding 


10.2.1 OVERVIEW 


All instruction encodings are subsets of the general 
instruction format shown in Figure 10.1. Instructions 
consist of one or two primary opcode bytes, possibly 
an address specifier consisting of the ‘mod r/m” 
byte and ‘scaled index”’ byte, a displacement if re- 
quired, and an immediate data field if required. 


Within the primary opcode or opcodes, smaller en- 
coding fields may be defined. These fields vary ac- 
cording to the class of operation. The fields define 
such information as direction of the operation, size 
of the displacements, register encoding, or sign ex- 
tension. 


Almost all instructions referring to an operand in 
memory have an addressing mode byte following 
the primary opcode byte(s). This byte, the mod r/m 
byte, specifies the address mode to be used. Certain 
encodings of the mod r/m byte indicate a second 
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addressing byte, the scale-index-base byte, follows 
the mod r/m byte to fully specify the addressing 
mode. 


Addressing modes can include a displacement im- 
mediately following the mod r/m byte, or scaled in- 
dex byte. If a displacement is present, the possible 
sizes are 8, 16 or 32 bits. 


If the instruction specifies an immediate operand, 
the immediate operand follows any displacement 
bytes. The immediate operand, if specified, is always 
the last field of the instruction. 


Figure 10.1 illustrates several of the fields that can 
appear in an instruction, such as the mod field and 
the r/m field, but the Figure does not show all fields. 
Several smaller fields also appear in certain instruc- 
tions, sometimes within the opcode bytes them- 
selves. Table 10.4 is a complete list of all fields ap- 
pearing in the Intel486 Microprocessor instruction 
set. Further ahead, following Table 10.4, are de- 
tailed tables for each field. 


TTTTTTTT(TTTTTTTT| modTTTr/m| ss index base |d32 | 16| 8 | none data32 | 16 | 8 | none 


0,765320 


765320 


a ene 


- opcode “mod r/m” 
(one or two bytes) | byte 

(T represents an 
opcode bit.) 


fe oe ey 


register and address 
mode specifier _ 


“s-j-b” address immediate 

byte displacement data 

(4, 2, 1 bytes (4, 2, 1 bytes 
or none) or none) 


' Figure 10.1. General Instruction Format 


Table 10.4. Fields within Intel486™ Microprocessor Instructions 


reg General Register Specifier 


mod r/m 


tttn 
or a Condition Negated 


NOTE: 
Tables 10.1-10.3 show encoding of individual instructions. 
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Field Name Description Number of Bits 


Specifies if Data is Byte or Full Size (Full Size is either 16 or 32 Bits 
Specifies Direction of Data Operation 
Specifies if an Immediate Data Field Must be Sign-Extended | 


Address Mode Specifier (Effective Address canbea General Register) 


Ss Scale Factor for Scaled Index Address Mode 

index General Register to be used as Index Register — 

base General Register to be used as Base Register » 

sreg2 Segment Register Specifier for CS, SS, DS, ES 

sreg3 Segment Register Specifier for CS, SS, DS, ES, FS, GS 


For Conditional Instructions, Specifies a Condition Asserted 


2 for mod; 
3 forr/m 


intel. 
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10.2.2 32-BIT EXTENSIONS.OF THE - 
"INSTRUCTION SET 


With the Intel486 Microprocessor, the 8086/80186/ 
80286 instruction set is extended in two orthogonal 
directions: 32-bit forms of all 16-bit instructions are 
added to support the 32-bit data types, and 32-bit 
addressing modes are made available for all instruc- 
. tions referencing memory. This orthogonal instruc- 
tion set extension is accomplished having a Default 
(D) bit in the code segment descriptor, and by hav- 
ing 2 prefixes to the instruction set. | 


Whether the instruction defaults to apaistiens of 16 
bits or 32 bits depends on the setting of the D bit in 
_ the code segment descriptor, which gives the de- 
fault length (either 32 bits or 16 bits) for both oper- 
ands and effective addresses when executing that 
code segment. In the Real Address Mode or Virtual 
8086 Mode, no code segment descriptors are used, 
but.a D value of 0 is assumed internally by the 
intel486 Microprocessor when operating in those 
modes (for 16-bit default sizes compatible with the 
8086/ 801 86/80286). 


Two prefixes, the Gpsrand Size Prefix and the Effec- 


tive Address Size Prefix, allow overriding individually 
the Default selection of operand size and. effective 
address size. These prefixes may precede any op- 
code bytes and affect only the instruction they pre- 


cede. If necessary, one or both of the prefixes may 
be placed before the opcode bytes. The presence of © 
the Operand Size Prefix and the Effective Address. 
Prefix will toggle the operand size or the effective 


address size, respectively, to the value “opposite” 
from the Default setting. For example, if the default 
operand size is for 32-bit data operations, then pres- 
ence of the Operand Size Prefix toggles the instruc- 
tion to 16-bit data operation. As another example, if 
the default effective address size is 16 bits, pres- 
ence of the Effective Address Size prefix toggles the 


instruction to use 32-bit effective address computa-. 


tions. 


These 32-bit extensions are available in all Intel486 


Microprocessor modes, including the Real Address — 


Mode or the Virtual 8086 Mode. In these modes the 
default is always 16 bits, so prefixes are needed to 
specify 32-bit operands or addresses. For instruc- 
tions with more than one prefix, the order of prefixes 
is unimportant. | 


_Unless specified otherwise, instructions with 8-bit 


and 16-bit operands do not affect the contents of 
the high-order bits of the extended registers. 
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10.2.3 ENCODING OF INTEGER 
INSTRUCTION FIELDS 


Within the instruction are several fields indicating 
register selection, addressing mode and so on. The 
exact encodings of these fields are defined immedi- 
ately ahead. 


10.2.3:1 Encoding of Operand Length (w) Field 


For any given instruction performing a data opera- 
tion, the instruction is executing as a 32-bit operation 
or a 16-bit operation. Within the constraints of the 
operation size, the w field encodes the operand size 
as either one byte or the full operation size, as 
shown in the table below. . 


Operand Size 
During 16-Bit During 32-Bit 
Data Operations | Data Operations 


8 Bits | 8 Bits 
16 Bits 32 Bits | 


10.2.3.2 Encoding of the General 
Register (reg) Field 


. Operand Size 


The..general register is specified by the reg field, 
which may appear in the primary opcode bytes, or as 
the reg field of the “mod r/m” byte, or as the r/m 
field of the “mod r/m” byte. 


Encoding of reg Field When w Field 
is not Present in Instruction 


Register Selected | Register Selected 
During 16-Bit During 32-Bit 
Data Operations | Data Operations 


reg Field 


intel. 


Encoding of reg Field When w Field 
is Present in Instruction 


Register Specified by reg Field 
lel 16-Bit Data Operations: 


Function of w Field 


_ w = 0) — w = 1) 


Register Specified by reg Field 
During 32-Bit Data Operations 


Function of w Field 


leeres (when w =) 


10.2.3.3 Encoding of the Segment 
Register (sreg) Field 


The sreg field in certain instructions is a 2-bit field 
allowing one of the four 80286 segment registers to 
be specified. The sreg field in other instructions is a 
3-bit field, allowing the Intel486 Microprocessor FS 
and GS segment registers to be specified. 


2-Bit sreg2 Field 


Segment 
Register 
Selected 


2-Bit 
sreg2 Field 
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3-Bit sreg3 Field 


Segment 
Register 
Selected 


3-Bit 
sreg3 Field 


do not use 
do not use 


10.2.3.4 Encoding of Address Mode 


Except for special instructions, such as PUSH or 
POP, where the addressing mode is pre-determined, : 
the addressing mode for the current instruction is 
specified by addressing bytes following the primary 
opcode. The primary addressing byte is the “mod. 
r/m” byte, and a second byte of addressing informa- 
tion, the ‘“s-i-b’” (scale-index-base) byte, can be 
specified. -_ | - 


The s-i-b byte (scale-index-base byte) is specified’ 
when using 32-bit addressing mode and the “mod. 
r/m” byte has r/m = 100 and mod = 00, 01 or 10. 
When the sib byte is present, the 32-bit addressing 
mode is a function of the mod, ss, index, and base 
fields. | 


The primary addressing byte, the “mod r/m’” byte, 
also contains three bits (shown as TTT in Figure 
10.1) sometimes used as an extension of the pri-: 
mary opcode. The three bits, however, may also be 
used as a register field (reg). 


When calculating an effective address, either 16-bit 
addressing or 32-bit addressing is used. 16-bit ad- 
dressing uses 16-bit address components to calcu- 
late the effective address while 32-bit addressing 
uses 32-bit address components to calculate the ef- 
fective address. When 16-bit addressing is used, the 
“mod r/m”’ byte is interpreted as a 16-bit addressing 
mode specifier. When 32-bit addressing is used, the 
“mod r/m”’ byte is interpreted as a 32-bit addressing 
mode specifier. 


Tables on the following three pages define all en- 
codings of all 16-bit addressing modes and 32-bit 
addressing modes. 
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Encoding of 16-bit Address Mode with “mod r/m” ee 


_ Effective Address Effective Address 


DS:[BX+ SI] DS:[BX + SI+d16] 
-DS:[BX+ Di] DS:[BX + DI +16] 
SS:[BP + SI] -SS:[BP + SI+d16] 
SS:[BP + DI] SS:[BP.+ DI+ d16] 
DS:[SI] DS:[SI+d16] | 
DS:[DI] DS:[Di+ d16] 
DS:d16 SS:[BP + d16] 
DS:[BX] DS:[BX +16] 


DS:[BX + SI+ d8] 
DS: [BX + DI+ d8] 
SS:(BP + SI+ d8] 
SS:[BP + DI + d8] 
-DS:[SI+ d8] 
DS: [Di + d8] 
~ §S:[BP + d8] 
-DS:[BX+d8] 


Register Specified by r/m 
During 16-Bit Data Operations 


= a : iP eee) of w Field 


register—see below 
register—see below 
register—see below 
register—see below 
 register—see below 
register—see below 
_ register—see below 
register—see below 


Register Specified by r/m 
During 32-Bit Data Operations 


Function of w Field 
mod um 
ee] ee 
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Encoding of 32-bit Address Mode with “mod r/m’” byte (no “s-i-b” byte present): 


Effective Address 


DS:[EAX] 
DS:[ECX] 
DS:[EDX]. 
DS: [EBX] 


s-i-b is present 


DS:d32 
DS: [ESI] 
DS: [EDI] 


DS:[EAX + d8] 
DS:[ECX + d8] 


DS:[EDX + d8] . 


DS:[EBX + d8] 


s-i-b is present 


SS:[EBP + d8] 
DS:[ESI+ d8] 
DS:[ED! + d8] 


AL 


_register—see below . 


Register Specified by reg or r/m 
during 16-Bit Data Operations: 


| Function of w field 
mod r/m 
(when w= 0) (when w= 1) 


Effective Address 


DS:[EAX + d32] 
DS:[ECX + d32] 
DS: [EDX + d32] 
DS:[EBX + d32] 
s-i-b is present 
SS:[EBP + d32] 
DS:[ESI+d32] | 
DS:[EDI+ d32] 


register—see below 
register—see below 
register—see below 
register—see below 
register—see below 
register—see below 


register—see below 


Register Specified by reg or r/m 
during 32-Bit Data Operations: 


Function of w fleld 


(when Ww 1) 


intel. 
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| Enc of 32-bit Address Mode (“mod r/m” byte and “‘s-i-b” byte present): 


_Effective Address 


DS: “TEAX+ (scaled index)] 
DS:[ECX + (scaled index)] © 
DS:[EDX + (scaled index)] 
DS:[EBX + (scaled index)] 

~ §S:[ESP + (scaled index)] — 
DS:[d32 + (scaled index)] 
DS:[ESI-+ (scaled index)] - 
DS: [EDI + (scaled index)] 


DS: [EAX + (scaled index) + d8] 

DS:[ECX + (scaled index) + d8] 

DS:{EDX + (scaled index) + d8] 

“DS: [EBX + (scaled index) + d8] 
SS:[ESP +.(scaled index) + d8] 

_ §S:[EBP + (scaled index) + d8] 
DS:[ESI+ (scaled index) + d8] 
DS:[EDI+ (scaled index) + d8] 


_ DS:[EAX + (scaled index) + d32] 
~ DS:[ECX + (scaled index) + d32] 
DS:[EDX + (scaled index) + d32] _ 
‘DS:[EBX + (scaled index) + d32] 
SS:[ESP + (scaled index) +d32] - 
SS:[EBP + (scaled index) + d32] 
DS:[ESI+ (scaled index) + d32] 
DS: [EDI + (scaled index) + d32] 


NOTE: 


Mod field in mee r/m” se ss, index, pase: fields in 


“s-i-b” shee 
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00 . . x1 


EAX 
ECX 
EDX 
EBX 
no index reg** 
~  EBP 
ESI 
EDI 


**IMPORTANT NOTE: 
When index field is 100, indicating “‘no index register, is then 


SS field MUST equal 00. If index is 100 and ss does not 


equal 00, the effective address is undefined. 


intel. 
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10.2.3.5 Encoding of Operation 
Direction (d) Field 


In many two-operand instructions the d field is pres- 
ent to indicate which operand is considered the 
source and which is the destination. | 


Direction of Operation 


Register/Memory <- - Register 
“reg” Field Indicates Source Operand; © 


“mod r/m” or “mod ss index base” Indicates | __ 


Destination Operand 


Register <- - Register/Memory . 
“reg” Field indicates Destination Operand; 
“mod r/m” or “mod ss index base” Indicates 
Source Operand 


10.2.3.6 Encoding of Sign-Extend (s) Field 


The s field occurs primarily to instructions with im- 
mediate data fields. The s field has an effect only if 
the size of the immediate data is 8 bits and is being 
placed in a 16-bit or 32-bit destination. | 


_ Effecton ’ 
immediate 
Data 16/32 


Effect on 
immediate 
Data8 


None 


Sign-Extend Data8 to Fill 
16-Bit or 32-Bit Destination 


10.2.3.7 Encoding of Conditional 
Test (tttn) Field 


For the conditional instructions (conditional jumps 
and set on condition), tttn is encoded with n indicat- 
ing to use the condition (n= 0) or its negation (n= 1), 
and ttt giving the condition to test. 
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Overflow. 

No Overflow 

Below/Not Above or Equal 
Not Below/Above or Equal 
Equal/Zero- | 

Not Equal/Not Zero 
Below or Equal/Not Above 


Not Below or Equal/Above 
Sign 
Not Sign 
Parity/Parity Even 
Not Parity/ParityOdd 
Less Than/Not Greater or Equal 
| Not Less Than/Greater or Equal 
Less Than or Equal/Greater Than 
Not Less or Equal/Greater Than 


10.2.3.8 Encoding of Control or Debug 
or Test Register (eee) Field 


For the loading and storing of the Control, Debug 
and Test registers. ee 


When Interpreted as Control Register Field 


eee Code 
000 : CRO 
010 - OR2. 
Ott ue CR3 


Do not use any other encoding . 


When Interpreted as Debug Register Field 


eee Code Reg Name 


000 DRO 


001 DRI 
010 DR2 
011 DR3 
110 DR6 


DR7 


Do not use any other encoding 


When Interpreted as Test Register Field 


“eee Code 
011 - | 
100 
101 
110. 


Do not use any other encoding 2 i. 
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_ Instruction 


oO 2 O MM = 


10.2.4 ENCODING OF FLOATING POINT 
INSTRUCTION FIELDS 


Instructions for the FPU. assume one of the five 


forms shown in. the following table. In all cases, in-. 
structions are at least two bytes long and begin with 


the bit pattern 11011B. 


OP = Instruction opcode, possible split into two 
fields OPA and OPB | — 


MF = Memory Format 
00—32-bit real 
01—32-bit integer 
10—64-bit real | - 
11—16-bit integer 


P= Pop 
O—Do not pop stack Ge 
1—Pop stack after operation = 


d = Destination 
0—Destination is ST(0) 
1—Destination is ST(i) 


R XOR d = 0—Destination (op) Source 
R XOR d = 1—Source (op) Destination. 


ST(i) = Register stack element / 
000 = Stack top 
001 = Second stack element 
© 
. e 
e@ 


_ Eighth stack element 


111 


mod (Mode field) and r/m (Register/Memory specifi- 
er) have the same interpretation as the correspond- 
ing fields of the integer instructions. 


s-i-b (Scale Index Base) byte and disp (displace- 
ment) are optionally present in instructions that have 
mod and r/m fields. Their presence depends on the 


values of mod and r/m, as for integer instructions. . 
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APPENDIX F 
NUMERIC EXCEPTION SUMMARY. 


The following table lists the instruction mnemonics in alphabetical order. For each mne- 
monic, it summarizes the exceptions that the instruction may cause. When writing 
numeric programs that may be used in an environment that employs numerics exception 
handlers, assembly-language programmers should be aware of the possible exceptions 
for each instruction in order to determine the need for exception Sn 
Chapter 18 expiains the need for exception synchronization. ne 


F2XM1_ | 2*—4 

FABS a Absolute value 
FADD(P) Add real 

FBLD | BCD load 

FBSTP | | | BCD store and pop: 
FCHS | Change sign 

FCLEX Clear exceptions 
FCOM(P)(P) Compare real 

FCOS Cosine 

FDECSTP Decrement stack pointer 
FDIV(R)(P) Divide real 

FFREE Free register 

FIADD Integer add 

FICOM(P) Integer compare 

FIDIV Integer divide 

FIDIVR Integer divide reversed 
FILD Integer load 

FIMUL Integer multiply 
FINCSTP Increment stack pointer 
FINIT Initialize processor 


K<<<<< «< << <<<<<*< 


< <<<< < << 
<< <<<< «~ << 


FIST(P) 
FISUB(R) 
FLD extended or stack 
FLD single or double 
FLD1 | 
FLDCW 
FLDENV 
FLDL2E 
FLDL2T 
FLDLG2 
FLDLN2 
FLDPI 
FLDZ 
FMUL(P) 
FNOP 
FPATAN 
FPREM 
FPREM1 
FPTAN 
FRNDINT 
FRSTOR 
FSAVE 
FSCALE 


Integer store 
Integer subtract 
Load real 

Load real 

Load + 1.0 

Load Control word 
Load environment 
Load logze 


~ Load log,10 


Load 10g452 

Load log,2 

Load w 

Load + 0.0 
Multiply real 

No operation 
Partial arctangent 
Partial remainder 
IEEE partial remainder 
Partial tangent 
Round to integer 
Restore state 
Save state 

Scale 


FA 


Y 
Y 
Y 
Y 
Y 
Y 
Y 
Y 
Y 
Y 
¥ 
Y 
Y 
Y 
a 
Y 
Y 
Y 
Y 
Y 
Y 


< <<<<<< < 


< <<<<<< < 


FSIN 
FSINCOS 
FSQRT 


FST(P) stack or 


extended 


FST(P) single or double | 


FSTCW 


' FSTENV 


FSTSW (AX) 
FSUB(R)(P) 
FIST 


-FUCOM(P)(P) 


FWAIT | 


~ FXAM > 


oe 


FXCH © 

FXTRACT 
FYL2X: 
FYL2XP 1 


— Zero-divide 
— Overflow . 
+ Underflow. 


— Inexact result (precision) 
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Instruction _ 


Sine 
Sine and cosine 


_ Square root 


Store real 


Store real 
Store control word 


- Store environment 


Store status word » 
Subtract real 
Test 

Unordered compare real 
CPU Wait . 
Examine “ 
Exchange reuistets 
Extract 

Y - logsx 

Y= loga(X + 1) 


— Invalid operand due to stack eOManCeMeN 
— Invalid operand due to other cause 
— Denormal operand es 
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APPENDIX G 
CODE OPTIMIZATION 


The Intel486 processor is binary-compatible with the Intel386 DX and SX processors. 
Only three new application-level instructions have been added, which are useful in spe- 
cial situations. Any existing 8086/8088, 80286 and Intel386 processor applications will be 
able to execute on the Intel486 processor immediately without any modification or 
recompilation. Any compiler that currently generates code for the Intel386 processor 
family will also generate code that will run on the Intel486 processor without any modi- 
fications. 


However, there are certain code-optimization techniques which will make applications 
execute faster on the Intel486 processor with only minor or no change to their perfor- 
mance on the Intel386 DX or SX processor, except possibly for code size differences. 
These techniques have to do with instruction sequence selection and instruction sched- 
uling to take advantage of the internal pipelined execution units of the Intel486 proces- 
sor and the large on-chip cache. 


G.1 ADDRESSING MODES 


Like the Intel386 processors, the Intel486 processor needs an additional clock cycle to 
generate an effective address when an index register is used. Therefore, if only one 
indexing component is used (i.e., not both a base register and an index register), and 
scaling is not necessary, then it is faster to use the register as a base rather than an index. 
For example: 


mov eax, [esi] ; use eSi as base 
mov eax, [esix] ; use esi as index,.1 clock penalty 


If both base and index are used, or if scale indexing is necessary, then it is faster to use 
the combined addressing mode, even though it will take an additional clock cycle to 
execute. 


When a register is used as the base component, an additional clock cycle is used if that 
register is the destination of the immediately preceding instruction (assuming all instruc- 
tions are already in the prefetch queue). So to get the best performance, the two instruc- 
tions should be separated by at least one other instruction. For example: 


add eSi, eax ; @Si is destination register 
mov eax, [esi] 3; esi is base, 1 clock penalty 


There are other hidden or implicit usages of destination and base registers, primarily the 
stack pointer register ESP. The ESP register is the implicit base of all PUSH/POP/RET 
instructions and it is the implicit destination for the CALL/ENTER/LEAVE/RET/ 
PUSH/POP instruction. Therefore a LEAVE instruction followed immediately by a 
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RET instruction will use one additional clock. But if the LEAVE and RET are rear- 
ranged so that they are separated by another instruction, then no such penalty is 
entailed. (See other recommendations regarding the LEAVE instruction.) 


It is not necessary to separate back-to-back PUSH/POP instructions. The Intel486 pro- 
cessor will allow this sequence without i eurEDe an additional clock. 


All such instruction rearrangements of the instructions will not affect the > performance of 
Intel386 processors. : 


The Intel486 processor will also take an additional clock to execute an instruction unet 
has porn an immediate data field and a memory offset held. For example: 


mov dword ptr foo, 1234h ; both immediate and memory offset | 
mov dword ptr baz, 1234h — | | 
mov Cebp-28@8), 1234h 


When it is necessary to use constants, it would still be more efficient to use immediate 
data instead of loading the constant into a register first. But if the same immediate data 
is used more than once, then it would be faster to load the constant in a register and 
then use the register multiple times. This optimization will not affect the performance of 
Intel386 processors. The following sequence is faster than the one above, if all instruc- 
tions are in the prefetch queue, and peeause the instructions are SHOrneK, it will actually 
make it easier to prec | _ 7 


mov eax, 1234h 

mov dword ptr foo, eax 
mov dword ptr baz, eax 
mov Cebp-200)], eax 


G.2 PREFETCH UNIT 


The Intel486 processor prefetch unit will access the on-chip cache to fill the prefetch 
queue whenever the cache is idle, and there is enough room in the queue for another | 
cache line (16 bytes). If the prefetch queue becomes empty, it can take up to three 
additional clocks to start the next instruction. The prefetch queue is 32 bytes in size (2 
cache lines). 


Because data accesses always have priority over prefetch requests, keeping the cache 
busy with data access can lock out the prefetch unit. 


Therefore it is important to arrange the instructions so that the memory bus is not used 
continuously by a series of memory reference instructions. The instructions should be 
rearranged so that there is a non-memory referencing instruction (such as a register/ 
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register instruction) at least two clocks before the prefetch queue becomes exhausted. 
This will allow the prefetch unit to transfer a cache line into the queue. For example: 


mov mem, 1234567h 10 bytes 
mov mem, 1234567h 10 byies 


mov mem, 1234567h 10 bytes 
mov mem, 1234567h ~ 10 bytes 
mov mem, 1234567h 10 bytes 
add reg, reg 2 bytes 


If the prefetch queue started out full, then by the third MOV instruction, there is 
enough room for another cache line in the queue, but because the memory bus is con- 
tinuously being used, there is no time for the transfer from the cache to the prefetch 
queue. If a non-memory instruction is not inserted before or after the third MOV 
instruction, the queue will be exhausted by the fourth MOV instruction. In this case, the 
instructions should be rearranged so the ADD instruction is before or after the third 
MOV instruction, to allow the cache to transfer another instruction line to the prefetch 
unit. 


No such rearrangements of the instructions will affect the performance of the Intel386 
DX processor. 


G.3 CACHE AND CODE ALIGNMENT 


On the Intel386 DX processor, the destination of any JUMP/CALL/RET instructions 
should be aligned on a 0-mod-4 address, this helps the instruction prefetch unit in filling 
the prefetch queue as quickly as possible, since fetches are done 4-bytes at a time on 
aligned boundaries. On the Intel486 processor, because of the on-chip cache, any 
instruction fetch will fetch 16 bytes to fill a cache line. Therefore better performance can 
be obtained by aligning JUMP/CALL/RET destinations at 0-mod-16 addresses. | 


However, aligning at 0-mod-16 will cause the code to grow bigger, and the tradeoff 
between execution speed and code size is important. 


Therefore, it is recommended that only the function entry address (i.e., destination of 
CALL instructions) be aligned on a 0-mod-16 address; while all labels (i. e., destination 
of JUMP instructions) will continue to be aligned on 0-mod-4 addresses. | 


On the Intel486 processor, it takes up to five additional clocks to start execution of an 
instruction if it is split across two 16-byte cache lines. For example, if a CALL instruction 
ends at address OxOO00000E and the next instruction is a multiple-byte instruction, then 
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upon return from the: CALL, the processor must take five additional clocks to fill the 
prefetch queue if the target instruction is not already in the cache. Even if the target 
instruction is already in the cache, it will take an additional 2 clocks to transfer it into 
the prefetch unit. _ 


So if the compiler knows the alignment of the destination, then it will be faster to insert 
a filler instruction so that the multiple- byte instruction starts on an aligned address. This 
can be done either by rearranging the instructions or actually inserting a NOP 
instruction. 


Such -instruction -alignments will also improve the performance on the Intel386 
processors. 


G.4 NOP INSTRUCTIONS © 


Sometimes programs need filler between instructions to align them. On the Intel386 and 
Intel486 processors, there is a one-byte NOP instruction which is really an exchange 
EAX with EAX. | 


Other lengths can be executed in a single clock. The table below lists some. 


i-byte inc reg will modify register and flags ~ 


~we 


e-bytes mov reg, reg ; true NOP 

jJ-bytes lea reg, eee * true NOP, use &-bit displacement 
S-bytes mov. eax, Q ; will modify eax register 
S-bytes add eax, @ ‘3 will modify flags 


b-bytes lea reg, Ofeax]: 3; true ae use 3e- bit mene 


Additionally, many of the ee processor instructions have several forms 
and lengths, using different-sized immediate data or different-sized memory offsets. Also 
some instructions have shorter.forms if the destination register is EAX/AX/AL, 


Not all instructions with different forms will execute in the same clocks. An example | 
where different forms will execute in different clocks is the PUSH/POP REG. instruc- 
tions, if they are coded in the one- byte form, they will execute in one clock, but if coded 
in the 2-byte form, they will execute in 4 clocks. . 


The NOP replacement instructions will also execute faster than the XCHG instruction 
on Intel386 processors. Using different forms of the same instruction will not affect 
performance on the Intel386 processor. os ao ae 4 ea se 
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G.5 INTEGER INSTRUCTIONS 


The Intel486 processor can execute most of the frequently-used instructions (such as 
register load/store, register ALU operations, etc.) in one clock. However, unlike the 
Intel386 processor, some of the memory operations now take more clocks than the cor- 
ne register instructions. For example, the PUSH MEM instruction: 


7 tnstruction | tntel086™ DX CPUCiocks | nlel4a6™ GPU Clocks 


mov reg, mem 
push reg 
push mem - 


So for the Intel486 processor, loading a value from memory into a register first and then 
pushing that register will result in a net saving of 2 clocks; but for the Intel386 DX 
processor, the same instruction sequence will result in a net loss of one clock. However, 
in order to load the value into a register on the Intel486 processor, an empty register 
must be found; if the action of loading the value will destroy a value in a register that 
may be re-used later, then the saving may be negated by the loss of the re-usable value. 


Another example is the LEAVE instruction: 


7 ——~inetruction | _tntel086™ DX CPU Clocks inel486” GPU Clocks 


mov esp, ebp si + | 1. 


pop ebp | a oo AA (esp. penalty) . 
leave | , co 


Again, for the Intel486 processor, doing the MOV/POP sequence will result in a net 
saving of 2 clocks over the LEAVE instruction; while on the Intel386 DX processor, the 
LEAVE instruction is both faster and shorter. However, because the first MOV instruc- 
tion uses ESP as the destination register, and the POP instruction also implicitly uses the 
ESP register as a base (as mentioned above), this sequence will result in a one clock 
penalty unless the two instructions are separated by another instruction. If it is possible 
to rearrange the instructions so the MOV/POP instructions are separated by a useful 
instruction, then the net savings over a LEAVE instruction is 3 clocks:on the Intel486 
processor. 


Because the Intel486 processor can operate with operands in registers faster than out of 
memory (just like most other architectures), it is important to have good register alloca- 
tion and value tracking optimizations in any compiler. On the other hand, there is: no 
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savings in loading up every value before using it, as ina RISC architecture. The Intel486 
processor can perform reg, mem type ALU operations as fast as load/op/store sequences. 
For reins for the assignment 


mem1 = ‘neni + meme 


the following instruction sequences could be used, with varying total clock counts on ae 
Intel386 DX and SX processor, but identical clock counts on the Intel486 processor: 


Intel386™ DX CPU Clocks Intel486™ CPU Clocks 


mov eax, mem1 
| mov ebx, mem2 

add eax, ebx 

mov m mem1, eax 


mov eax, mem1 _ 
add eax, mem2 
-mov mem1, eax 
~mov eax, mem1 
add mem2, eax 


The MOVZX is another example where the Intel486 processor can execute faster using 
simple instructions, if the destination | is a register that is 3 also byte addressable. For 
example, loading a byte value: 


Intel486™ CPU Clocks 
movzx eax, mem1 | | 3 + 1 (OFh prefix) 
_ xor eax, eax sme gleaees : | i 


movb al, mem1 > 1 


So for the Intel486 processor, clearing the register first and then loading the byte value. 
may result in a net saving of two clocks (depending on whether the prefix decode clock 
can be overlapped. with the previous instruction, see Section G.8 on Prefix opcodes), 
while there is no difference in performance on the Intel386 DX processor. 


G.6 CONDITION CODES 


In some high level languages, it is sometimes necessary to convert the result of a boolean . 
condition (e.g., equality, greater-than or less-than, etc.) into a true or false (i.e., 0/1) 
value: The Intel386. and Intel486 processors normally maintain the results of compari- 
sons in the flags register, so in order to convert the result of a comparison into a true/ 
false value, it is necessary to convert the flags settings into an integer-value. : 
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The Intel386 and Intel486 processors have a set of SETcc instructions which will do such 
conversions, however, the SETcc instructions take 3 or 4 clocks to execute on the 
Intel486 processor depending on whether the condition being tested for is true or false. 
Specifically while comparing unsigned values for greater-than or less-than, there is an 
optional sequence to use. For example, if “x” and “‘y” are both unsigned values, and “*x”’ 
is loaded into register eax and “y” is loaded in register ecx, then the code for “(x < yy” 


could be generated in several ways: 


| instruction | Intel386™ DX CPU Clocks Intel486™ CPU Clocks 


cmp 
mov 

jnb 

mov eax, 1 
L1: 


cmp eax, eCx 
setb al 
movsx eax, al 
cmp eax, ecx 
sbb eax, eax 
neg eax 


So using the SBB instruction to capture the flags setting of an unsigned compare gives 
the fastest performance, without breaking the prefetch pipeline because there are no 
jumps involved. Note that although this is specific for the “(x < y)” condition, it is 
possible to transform other tests to this form by either negating the condition or by 
exchanging the operands. 


Such condition code instruction replacements will also improve the performance on the 
Intel386 CPUs. , 


G.7 STRING INSTRUCTIONS 


Like the Intel386 DX processor, the Intel486 processor executes string instructions 
slower than the load/store instructions. For example, the LODS instruction: 


| Instruction Intel386™ DX CPU Clocks Intel486™ CPU Clocks | 


mov eax, [esi] 


add esi, 4 


lods 


The LODS instruction does more than the individual MOV instruction, it also updates 
the ESI register. However, if it is not necessary to have the register updated, then the 
MOV instruction will result in a net saving of 3 clocks on both the Intel386 DX and the 
Intel486 processors. The minor tradeoff is that the LODS instruction is shorter oe the 
MOV instruction. : 
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Also in a non-REPeated usage, individual MOV instructions will always be faster than 
the string MOVS instruction. And even in a REPeated loop, if the loop is small enough, 
it will be faster to use individual load/store instructions than to set up for a REPeated 
MOVS. The tradeoff again is speed vs. code space, with the REP MOVS loop being 
shorter but slower. However, as discussed above, a long sequence of load/store instruc- 
tions will prevent the prefetch unit from filling the prefetch queue and slow the proces- 
sor, so the recommendation is not to move more than 16 bytes with load/store 
instructions before a non- -memory instruction to allow the prefetch unit to access the 
cache. 


Similar optimizations can also be made for the STOS and other string instructions. Such 
string instruction replacements will also improve the performance on the Intel386 
processor. . 


G.8 FLOATING-POINT INSTRUCTIONS 


As with the Intel386 processor/Intel387 math coprocessor combination, the floating 
point unit of the processor is a separate execution unit and it operates in parallel with 
the integer unit, even though they are physically, on the same chip. Therefore any 
instruction sequence that allows the two independent units to execute in parallel will be 
faster. 


Floating point instructions should not be placed one immediately after another. The 
instructions should be rearranged so that two floating point instructions are separated by 
other non-floating point instructions so the two units can execute in parallel. Pay partic- 
_ ular attention to the clock counts of the floating point instruction, so sufficient number 
of integer instructions could be executed without causing the floating point unit to wait 
before the next floating point instruction is issued. Such rearrangements of the instruc- 
- tions will also improve the performance on the Intel386 processor/Intel387 math copro- _ 
cessor, however, the clock counts used by the processor is much lower than the clock 
counts used by the Intel387 math coprocessor for the same floating point instructions. 


As a reminder, any simple arrangements or movement of floating point values should not 
be done via the floating point unit, but rather through the integer unit with integer 
instructions. Also FWAIT’s are never required around simple floating point instructions. 


G.9 PREFIX OPCODES. 


On either processor, all prefix opcodes, including 0Fh, segment override, operand size/ 
addressing, bus-lock, repeat, etc. require an additional clock to decode. This clock can be 
overlapped with the execution of the previous instruction if it takes more than one clock 
to execute. 


Therefore it will be faster to expand 16-bit operands to a full 32-bits and then operate on 
the 32- bit value instead ot using the een eos to epetale on 16-bit Ope nants 


If prefix opcodes must be used, try to rearrange the instructions so that the instruction | 
with the prefix is after an instruction that takes multiple clocks to execute. : 
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An additional reason for not using 16-bit operands is that if the destination of one 
instruction is a 16-bit register, and the immediately following instruction uses that regis- 
ter as a 32-bit operand, then there is a one clock penalty. Again, the two instructions 
should be separated by another instruction to avoid the penalty. 


G.10 OVERLAPPED CLOCKS 


As mentioned above, there are several situations where an instruction will take an extra 
clock to execute, but some of these extra clock penalties can overlap with one another. 
So an instruction that uses multiple features mentioned above will not necessaily have a 
total penalty that is the sum of the individual penalties. 


In nacieulne: the following combinations will overlap: 


e Having an index register and an immediate field with a memory offset field will only 
cost a one clock penalty. | , 


e Having a prefix opcode and using the result register of the previous instruction as a 
base will only cost a one clock penalty. 


e Having a prefix opcode after a multi-clock instruction will not cost any additional 
clock penalty. 


G.11 MISCELLANEOUS USAGE GUIDELINES 


The instruction set of the Intel386 processors was designed with certain programming 
practices in mind. Many of these practices remain relevant in assembly-language pro- 
gramming for the Intel486 processor, and may be of interest in compiler design as well. 


e Use the EAX register when possible. Many instructions are one byte shorter when 
the EAX register is used, such as loads and stores to memory when absolute 
addresses are used, transfers to other registers using the XCHG instruction, and 
operations using immediate operands. | 


e Use the D-data segment when possible. Instructions which deal with the D-space are 
one byte shorter than instructions which use the other data segments, because of the © 
lack of a segment-override prefix. 


e Emphasize short one-, two-, and three-byte instructions. Because instructions for the 
Intel486 processor begin and end on byte boundaries, it has been possible to provide 
many instruction encodings which are more compact than those for processors with 
word-aligned instruction sets. An instruction in a word-aligned instruction set must be 
either two or four bytes long (or longer). Byte alignment reduces code size and 
increases execution speed. 


e Access 16-bit data with the MOVSX and MOVZX instructions. These instructions 
sign-extend and zero-extend word operands to doubleword length. This eliminates the 
need for an extra instruction to initialize the high word. 


e For faster interrupt response, use the NMI interrupt when poscible: 
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In. pac of using | an ENTER instruction at ae level 0, use a code se ace like: 


BUSH EBP 
MOV EBP, ESP” 


SUB ESP, BYTE_COUNT 


This executes in seven clock cycles, rather than ten. 


The following techniques may be applied as optimization to candies the speed oe a 
seen after its basic functions have been implemented: . be “Wg ' 


‘ 


The’ jump instructions come in 1 two forms: one form has an eight- bit immediate for 
relative jumps in the range from 128 bytes back to 127 bytes forward, the other form 
has a full 32-bit displacement. Many assemblers use the long form in situations where 
the short form can be used. When it is clear that the short form may be used, explic- 
itly specify the destination operand as being byte length. This tells the assembler to 


_ .use the short, form. If the assembler does not support this function, it will generate an 


error. Note that some assemblers perform this optimization automatically. 


Use: the ESP register to reference the stack in the deepest level of subrounnes Don’t 
bother setting up the EBP register and stack frame... : Rite a  %gee 


For fastest: task switching, perform task switching in seh aie: This‘allows a smaller 


processor state to be saved and restored. See Chapter 7 for a discussion of 
multitasking. 


Use the LEA instruction for adding ee together. When a base register and 
index register are used with the LEA instruction, the destination is loaded with their 


_ sum. The contents of the index register may be scaled by 2, 4,.or 8. 


Use: the LEA instruction for adding’ a constant to’a register. When a base sevice and 


a displacement are used with the LEA instruction, the destination is loaded with their 


sum. The LEA instruction can be used with a base TgeStcl: index eee scale 


factor, and, displacement. _ 
~ Use integer move instructions to transfer floating: point data. 


Use the form of the RET instruction which takes an immediate wale: for bie: -count, 
| rather than an ADD ESP instruction. It saves one clock cycle and three bytes on 


every subroutine call. 


When several references are made to.a variable addressed with a POR CuE HE load 
the Displacement into a pepister. sas | ii th 


a The PUSH and POP instructions, when used ‘with: an n operand in memory, ‘take two 
more clock cycles. to execute than an equivalent. two-instruction sequence which 
moves the operand through a general register before pushing it on the stack. 


~The LOOP instruction takes two more clock cycles to execute oon the equivalent 
decrement and conditional j jump instructions.. | ae 


4 . 


The JECXZ instruction takes one more clock cycle to execute than ne equivalent 
compare and conditional jump. instructions. oe rid . . | 
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Use ADD reg, reg instead of SHL reg, 1. The opcode length is the same, but the add will 
execute in one clock instead of three for the shift instruction. The flags are affected in 
the same way by both instructions, except that the add instruction sets the auxilliary 
carry flag (AF), while the shift instruction leaves it undefined. | 


Also, use ADC reg, reg instead of RCL reg, 1. As with in the previous case, the opcodes 
have identical lengths, but the add executes in the one clock versus three clocks for the 
rotate. However, note that RCL reg, 1 only affects OF and CF, while the add will 
additionally change SF, ZF, AF, and P. 


The above also applies to the Intel386 CPU. Due to the different clock counts on the 
Intel386 CPU, the achievable speed improvement will be much less. Note that the sub- 
stitutions given above do not negatively affect performance on the 286, since clock 
counts for replaced and replacing instruction is identical on that CPU. 
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Revision History 


APPENDIX H 
REVISION HISTORY 


Revision of the Intel486™ Microprocessor Family Programmer’s Reference Manual contains 
many updates and improvements to the original version. A revision summary of major 
changes is listed below. 


The sections significantly revised since version 1 -001 are: 


Section 3.11 
Section 4.1.1 


Section 5.3.4 


Section 6.2.2. 
Section 6.5 | 


Figure 6-9 


Table 6-4 
Table 7-1 


Table 7-2 


Table 9-2 
Section 9.9.14 
Table 9-7 


Figure 10-2 
Section 10.2 


Figure 11-1 


The fepiictions INVD dail WBINVD were included for shicesion 
and the CPU detection code was updated i in 1 Figure 3-23. 


Clarified that ihe POPF and POPED instructions have no affect on 
the RF and VM flags. 


Stated the absence of the Dirty bit in the page directory. © 


Included B-bit clarification. in the description of expand-down data 
seement ranges. 


Clarified that only a CALL instruction can use. - gates to transfer to 
more privileged levels. 


Corrected by adding EFLAGS as part of the new stack. 


Corrected Combined Effect columns for page. directory’and page 


table protection. 


Corrected Exceptions and Error Code: References made during a 
Task Switch. 


Clarified the NT flag a as not changed due t to JUMP. 


Changed deseaotion to show Faults: from prefetching ive a awe 
priority than NMI’s. 


Clarified the state of the page , table ad page directory access it 


tO ORORE a page level fault. 


Corrected note 2 by stating the seat on an anvaler TSS « excep. 
tion is conditional. | 


Clarified that the most significant bits are used ‘to disable modes. 


Added Intel486 SX microprocessor initialization. 


' Added GD bit, changed breakpoint addresses to linear and clarified 


hardwired bits must remain undefined. 
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Section 11.2.2 


Section 11.3.1.2 


Section 12.3.1 
Section 15.1.2 


Section 15.1.3 
Figure 15-5 
Table 16-9 


Table 16-10 - 


Table 16-11 
Section 16.2.3 


Section 19.2.3.2 


Table 22-1 


Table 22-2 


Section 24.1 | 
Section 24.4.2 


Section 25.1 


Section 26.1.3 


Table 26-2 


Table 26-3 


Section 26.2.2.2. 


REVISION HISTORY 


Description of the GD bit has been added. 


Clarified explanation that — reporting is independent of the 
GE/LE bit settings. 


Specification change for PCD and PWT. bits. 
Corrected the Top of STack bits oF the Status ou. 


Described the rounding-control bits of the FPU Snel more as 
also affecting non- -arithmetic instructions. 3 


| Clarified the presence of an Opcode for the Cs selector. 


Added Figure 15-5 iescabine opcode field. 


_ Added pseudodenormals to table. 


'. Deleted pseudodenormals as being part of the unsupported formats. 


Corrected final state of C, for Remainder instructions and Trigono- 


—. metric instructions. ’ 


Added description of the masked response returned by an FYL2X 
instruction as a result of division by zero. | 


Added Intel486 SX CPU soitware enon: 


Defined - more er a the description of sence puns and 
Interrupts. © 7 nd ¢ : 


4 Corrected vector 6 description. 


Giantess the B-bit as also controling the upper ADD range for 
expanded down. 


Described the ESP register to be atecliable when switching from 


32-bit to 16-bit code then back to 32 bit. 


Clarified the ET-bit as pone hardwired to 11 upon reset. 


Ricplaced B bit with D bit. 


~. Corrected effective address column. 


Corrected effective address column... 


Clarified m as a memory seta: and cance the use of extended 
registers for m8 and m16. . | 
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REVISION HISTORY 


Clarified the AF flag as undefined for the AND instruction. 
Flags clarified for BSF and BSR instructions. 


For BT, BTC, BTR and BTS instructions the affect of the high-order 
bits in the immediate bit offset are clarified. 


Added explanation for a CALL indirect-thru-memory in CALL 
instruction description. 


Opcode for CMPXCHG instruction has been changed. 
The OF flag has been clarified as undefined for the DAA instruction. 
Corrected table describing the DIV instructions use of registers. 


Clarified C, flag to. be zero for FCOM/FCOMP/FCOMPP 
instructions. , 


The CF and OF flags have been clarified for the IMUL instruction. 


Corrected one of the INC opcodes. 
Ghanced r/m to m for INS instruction. 


Corrected interrupt-to-inner-privilege description of INT/INTO 
instructions. 


Clarified Intel486 microprocessor detection for INVD and INVLPG 
instructions. 


Gate easier types 6 gia aa F have been redefined for the LAR 
instruction. 


For ieee eee instructions, a #UD fault has been 
described in protected mode. 


Opcode has been corrected for LMSW instruction. 


Added CMPXCHG and XADD instructions to list of LOCK usable 


- Instructions. 


Clarified use of MOV r/m16, Sreg instruction for use in protected 
mode. 


Corrected the clocks for the MUL instruction. 


Clarified a POP-to-memory instruction and a POP eSP instruction. 
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Appendix E 


Table 10.1 


Table 10.2 


Table 10.3 


Appendix G 


Section G.11l 


REVISION HISTORY 


Clarified a POP-to-memory instruction and a POP eSP instruction. 
Clarified a PUSH-from-memory instruction. 

The opcode for REP LODS has been corrected along with the des- 
tinations. Added note to NOT use the ee prefix with the loop 
instruction. 


The CF flag aa been clarified for SHL and. SHR instructions. 


The description of the SBB and SUB instructions has been clarified. 


The description of SETcc has been corrected for opcode 0F96H and_ 


OFOFH. 


Opcode for STI instruction has been corrected and Virtual Mode 
Exceptions have been defined. 


Operation of XADD instruction has been fixed. 


Added note that XCHG 7 be used in place of BSWAP for 16-bit 


data and fixed clock count. 


Duplicate opcodes for TEST Ib/lr and SHL have been deleted. 


Position 82 (MOVB) on one-byte opcode map has been deleted. 


_Opcodes for MOV Td, Rd and MOV Rd, Td have been corrected. 


Added Oe and CDQ instructions to oe and CWD. 


| Cures eet format se REP LODS. REP MOVS and REP 


STOS instructions. 
Corrected instruction ianacet LTR (ae aieton 


Corrected instruction format of REP INS and REP OUTS 
instructions. 


Corrected instruction format of FSTP 32-bit instruction. 


Corrected instruction format of FUCOMPP, FSUBR ST(d), FDIV 
64-bit, FDIV ST(d), and FDIVR ST(d) instructions. 


Designation of ADD instead of SHL instruction and ADC instead of 
RCL instruction has been added. 
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Abort: An exception which is ‘completely unrecoverable, such as stack exception during 
an attempt to invoke an exception handler. ; 


Address: See Logical Address, Linear Address, and Physical Address. 
Address Space: The range of memory locations which may be accessed by an address. - 


Address-Size Prefix: An instruction prefix which selects the size of address offsets. Off. 
sets may be 16- or 32-bit. The default address size is specified by the D bit in the code 
segment for the instruction. Use of the address-size prefix selects the non-default size. 


Address Translation: The process of mapping addresses from one address space to 
another. Peementalon and paging both perform address translation. : 


Base Address: The address of the beginning of a data structure, such as a segment, 
descriptor table, page, or page table. 


Base eee A register used for address: an operand relative to an address held in 
the register. | | te | 


Base: (1) A term used in logarithms and exponentials. In both contexts, it is a number 
that is being raised to a power. The two equations (y=log base b of x) and (by =x) are 
the same. (2) A number that defines the representation being used for a string of digits. 
Base 2 is the binary representation; base 10 is the decimal representation; base 16 is the 
hexadecimal representation. In each case, the base is the factor of increased significance 
for each succeeding digit (working up from the bottom). (3) See Base Address. 


BCD: Binary Coded Decimal; a format for representing numbers in base 10. One byte is 
used for each digit of the number, with bit positions 0 to 3 specifying the value for the 
digit. The auxiliary carry flag isused to perform BCD arithmetic. The FPU supports a 
packed form of BCD, in which 18 digits and .a sign bit are contained in an 80-bit. 
operand. 


_ Bias: A constant that is added to the true exponent of a real number to obtain the 
exponent field of that number’s floating-point representation in the FPU. To obtain the 
true exponent, you: must subtract the bias from the given exponent..For example, the | 
single real format has a bias of 127 whenever the given exponent is nonzero. If the 8-bit 
exponent field contains 10000011 (binary), which is 131 (decimal), the true exponent is 
131—127, or +4. Also known as an excess representation, in this case excess —127. 


Biased Exponent: The exponent as it appears in a floating-point representation of a 
number. The biased exponent is interpreted as an unsigned, positive number. In ne 
above example, 131 is the biased exponent. , 
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Binary Coded Decimal: A method of storing numbers that retains a base 10 representa- 
tion. Each decimal digit occupies 4 full bits (one hexdecimal digit). The hexadecimal 
values A through F (1010 to 1111) are not used. The Intel486 processor supports a 
packed decimal format that consists of 9 bytes of binary coded decimal (18 decimal | 
digits) and one sign byte. 


Binary Point: An entity just like a decimal point, except that it exists in floating-point 
binary numbers. Each binary digit to the nent of the pei: point is oe vee an 
_ increasing negative power of two. | 


Bit Field: A sequence of up to 32 bits which may start at any bit position of any byte 
address. The Intel486 oe has instructions for efficient operations on bit fields. 


Bit String: A sequence of up to 2321 bits which may start at t any bit position of any y byte 
address. The Intel486 processor has instructions for efficient operations on bit strings. 


Breakpoint: An aid to program debugging in which the programmer specifies forms of 
memory access which generate exceptions. The exceptions invoke debugging software. — 
The Intel486 processor supports software and hardware breakpoints. A software break- 
point is an instruction inserted into the program being debugged. When the INT 3 
instruction is executed, a breakpoint occurs. A hardware breakpoint is set up by pro- 
gramming the debugging registers. The contents of the debugging registers. specify the 
address, size, and type of reference for as many as four breakpoints. Unlike. software 
breakpoints, hardware olen eaee can be applied to data. 3 


Byte: An 8-bit qilantity: of. memory; the smallest unit of. memory referenced by an 
address. | | | - | | 


C3-C0: The four. “condition code” bits of the FPU status word. These bits are set to 
certain values by the compare, test, examine, and remainder functions of the FPU. 


Cache: A small, fast mY which holds the active parts of a larger, slower memory. 


Cache Flush: An ppeiacon which ee all cache lines as invalid: The Intel486 proces- 
sor has instructions for flushing internal and external caches. | | 


Cache Line: The smallest unit of storage which can be allocated in a cache. The internal 
cache, of the Intel4s6 processor has a line size of 128 bits. © : 7 


Cache Line Fill: An operation which ene an entire ‘eatie line u using. multiple ‘ead avcles 
to main et 7 : Lo 


Guthie Miss: A feguest ifop access ‘to memory wich requires actually ouaines main 
memory. 


Call Gate: A ae diceeriptor for invoking a. procedure with a CALL or JUMP 
instruction. 
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Characteristic: A term used for some non-Intel computers, meaning the exponent field 
of.a floating-point number. | | 


Chop: In the FPU, to set one:or more low-order bits of a real number to zero, yielding 
the nearest representable number in the direction of zero. 


Code Segment: An address space which contains instructions; an executable segment. An 
instruction-fetch cycle must address a code segment. The type of information held in a 
segment is specified in its segment descriptor. 


Condition Code: The four bits of the FPU status word that indicates the results of the 
compare, test, examine, and remainder functions of the FPU. 


Conforming Segment: A code segment which executes with the RPL of the segment 
selector or the CPL of the calling program, whichever is less privileged. 


Context Switch: See Task Switch. 


Control Word: A 16-bit FPU register that the user can set, to determine the modes of 
computation the FPU will use and the exception interrupts that will be enabled. 


Coprocessor: An extension to the base architecture and instruction set of a processor. 
The Intel387 numerics coprocessor is used to add floating-point arithmetic instructions 
and registers to the Intel386 processor. Coprocessors allow present-day systems to enjoy 
the architectural enhancements which will be available in future processor chips. - 


CPL: See: Current Privilege Level. 
CPU: Central Processor Unit. See Processor. 


Current Privilege Level (CPL): The privilege level of the program which is executing. 
Normally, the privilege level is loaded ‘from a code segment descriptor. It is loaded into 
the CS segment register, where it is visible to software as the two lowest bits of the 
register. When execution is transferred to a conforming code segment, the privilege level 
does not change. In this case, the CPL may be different from the pence level specified 
in the descriptor (DPL). | 


Data Segment: An address space which contains data. As many as four data segments 
may be in use without reloading the segment registers. The type of information held in a 
remem is ee in its ee saa aa 


Data Structure: An area of memory defined for a particular use by hardware or soft- 
ware, such as a nee table or “task state eceuent (TSS). 


Debug Registers: A set of ages used to specify as many as four hardware break- 
points. Unlike breakpoint instructions, which only can be used for code breakpoints, the 
debug registers can specify breakpoints i in either code or data. 
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Denormal: A special form of floating-point number. On the FPU, a denormal is defined 
as a number that has a biased exponent of zero. By providing a significand with leading 
zeros, the range of possible negative exponents can be extended by the number of bits in 
the: significand. Each leading zero is a bit of lost aceuIAg: so the extended eyponeat 
range is obtained by reducing significance. 7 | . 


Descriptor Privilege Level (DPL): The pavicer level appHed toa es The DPL 1 isa 
field in the segment descriptor. — 


Descriptor Table: An array of segment deceptions There are two kinds of descriptor 
tables: the Global Descriptor Zable ony) and i an arbitrary number of Local Descriptor 
Tables (LDTs). | 


Device Driver: A procedure or ‘task used to manage a peripheral device, such as a disk 
drive. - 


Displacement: A constant used in calculating effective addresses. A displacement modi- | 
fies the address independently of any scaled indexing. A displacement often is used to 
access operands which have a fixed relation to some other address, such as a field of a 
record in an array. 


Double Extended: EEE Std 754 term for the FPU’s extended format, with more expo- 
nent and significand bits than the double format and an explicit Meee bit in the 
significand. : ao git settle Pach, Si | | | | 


Double Format: A floating-point format supported by the FPU that consists of a sign, an 
11-bit biased exponent, an implicit a oe bit, and. a 52-bit Sen Incane a total of 64 
explicit bits. | . | 


Doubleword: A 32-bit quantity of memory. The Intel486 processor allows 32-bit double- | 
words to begin at any. byte address, but a performance penalty is taken when a double- 
word crosses the. Dele between two Goublewords:1 in et memory. : 


DPL: See pea Privilege 1 Level. 


Effective Address: The address produced from _addressing- -mode calculations. A base 
register, scaled index, and displacement may be used i in the calculations. | 


Environment: The 14 or 28 (depending on ere ode) butee of FPU registers 
affected by the FSTENV and FLDENV instructions. It encompasses the entire state of 
the FPU, except for the 8 registers of the FPU stack. Included are the control word, 
status word, tag word, and the instruction, epee: and operand information provided by 
interrupts. | , . 


ESC Instruction: An instruction encoding used for coprocessor instructions. 
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Exception: A forced call to a procedure or a task which is generated when the processor 
fails to interpret an instruction or when an INT nv instruction is executed. Causes of 
exceptions include division by zero, stack overflow, undefined opcodes, and memory- 
protection violations. Exceptions are faults, traps, aborts, and software-initiated 
interrupts. : 


Exception Pointers: In the FPU, the indication used by exception handlers to identify the 
cause of an exception. This data consists of a pointer to the most recently executed ESC 
instruction and a pointer to the memory operand of this instruction, if it had a memory 
operand of this instruction, if it had a memory operand. An exception handler can use 
the FSTENV and FSAVE instructions to access these pointers. 


Expand-Down Segment: A type of data segment in which the meaning of the segment 
limit is reversed. All other segments accept legal offsets from the base address to the 
base address plus the segment limit. An expand-down segment accepts legal addresses in 
two ranges: from 0 to one byte below the base address, and from one. pyre past the 
segment limit to the top of the address space. 


Exponent: (1) Any number that indicates the power to which another number is raised. 
(2) The field of a floating-point number that indicates the magnitude of the number. 
This would fall under the above more general definition (1), except that a bias some- 
times needs to be subtracted to obtain the correct power. 


Extended Format: The FPU’s implementation of the double extended format of IEEE 
Std 754. Extended format is the main floating-point format used by the FPU. It consists 
of a sign, a 15-bit biased exponent, and a significand with an explicit integer bit and 63 
fractional-part bits. | | 


External Cache: A cache memory provided outside of the processor chip. External 
caches can be added to any kind of processor which has external main memory. The 
Intel486 processor has instructions and page-table entry bits which are used to control 
external caches from software. 


Far Pointer: A reference to memory which includes both a segment selector and an 
offset. Used to access memory when the segment selector has not been loaded into the 
processor, for example when making a procedure call from one segment to another. 


Fault: An exception which is reported at the instruction boundary immediately before 
the instruction which generated the exception. When a fault is generated, enough of the 
state of the processor is restored to permit another attempt to execute the instruction 
which generated the fault. The fault handler is called with a return address which points 
to the faulting instruction, rather than the instruction which follows the faulting instruc- 
tion. After the handler fixes the source of the exception, such as a segment or page 
which is not present in memory, the program is restarted. | 


Flat Model: A memory organization in which all segments are mapped to the same range 
of linear addresses. This organization removes segmentation from the environment of 
application programs to the greatest degree possible. 
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Floating-Point Operand: A representation for a number expressed as a base, a sign, a 
significand, and a signed exponent. The value of the number is the signed product of its 
significand and the base raised to the power of the exponent. Floating-point representa- 
tions are more versatile than integer representations in two ways. First, they include 
fractions. Second, their exponent parts allow a much wider range of mapninice than 
possible with fixed- -length integer representations. 


Floating-Point Unit (FPU): The part of the Intel486 processor which contains the 
floating- point registers and performs the operations - ee by . oaie: pom 
instructions. : 


FPU: See Floating-Point Unit. 
Flush: See Cuéhe Flush. 


Gate Descriptor: A segment descriptor which can be the destination of a call or jump. A 
gate descriptor can be used to invoke a procedure or task in another privilege level. 
There are four types of gate descriptors: call gates, trap gates, interrupt gates, and task 
gates. | | | 


GDT: See Global Descriptor Table. 7 7 


Global Descriptor Table (GDT): An array of segment descriptors for all programs in a 
system: There is only one GDT i in a system. | 


Gradual Underflow: A method of handling the floating- point underflow error condition 
that minimizes the loss of accuracy in the result. If there is a denormal number that 
represents the correct result, the denormal is returned. Thus, digits are lost only to the 
extent of denormalization. Most computers return zero when underflow occurs, losing all 
signficant digits. | 


Handler: A procedure or task which is called as a result of an exception or interrupt. 
Hit: See Cache Hit. 

IDT: See Interrupt Devaiie: Table. 

IEEE Standard 754: A set of formats and operations which aly to esi: point num- 
bers. The formats cover 32-, 64-, and 80-bit operand sizes. The standard was developed 
by the Institute for Electrical and Electronics tea (IEEE). The FPU suppor all 
Operaite sizes covered by the standard. 

Immediate Operand: Data needed: in an instruction. 

Implicit Integer Bit: A part of the significand i in the cae real and déibie real floating: : 
point formats that is not explicitly given. In these formats, the entire given significand is 
considered to be the right of the binary point. A’ single implicit integer -bit to the left of 


the binary point is always one, except in one case. When the ponent: is the minimum 
(biased exponent is zero), the implicit integer bit is zero. | oe 
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Indefinite: A special value that is returned by floating-point functions when the inputs 
are such that no other sensible answer is possible. For each floating-point format these 
exits one quiet NaN that is designated as the indefinite value. For binary integer formats, 
the negative number furthest from zero is often considered the indefinite value. For the 
FPU packed decimal format, the indefinite value contains all 1’s in the sign byte and the 
uppermost digits byte. . 


Index: A number used to access a table. An index is scaled (multiplied by shifting left) to 
account for the size of the operand. The scaled index is added to the base address of the 
table to get the address of the table entry. 3 


Inexact: IEEE Std 754 term for the FPU’s precision exception. 


Infinity: A floating-point result that has greater magnitude than any integer or any real 
number. It is often useful to consider infinity as another number, subject to special rules 
of arithmetic. All three Intel floating-point formats provide representations for + tty 
and —infinity. , : | 


Initialization: The process of setting up the programming environment following reset. 
The processor begins execution in real-address mode. A few processor registers have 
defined states following reset, which permit execution to begin. Initial states of the seg- 
ment registers allow memory to be accessed, even though no segment selectors have 
been loaded. The DR7 register (debug control register) is clear, so no breakpoint will 
occur during initialization. The real mode program can set up data structures such as 
descriptor tables and page tables, then transfer execution to a program running in pro- 
tected mode. 


Instruction Prefetch: Reading instructions into the processor from sequentially higher. 
addresses. in advance of execution; a technique for overlapping the execution. of 
instructions. 


Instruction Restart: An ability to make a second attempt to execute an instruction which 
generates an exception. Instruction restart is necessary for supporting virtual memory. 
When an application makes reference to a segment or page which is not present in 
memory, the application must be suspended in a way which allows restarting after the 
operating system has brought the segment or page into physical memory. Instruction 
restart restores enough of the processor state to allow the exception handler to be called 
with a return address pointing to the instruction which generated the exception, rather 
than the instruction following it. 


Integer: A number (positive, negative, or zero) that is finite and has no fractional part. 
Integer can also mean the computer representation for such a number: a sequence of 
data bytes interpreted in a standard way. It.is perfectly reasonable for integers to be 
represented in a floating-point format; this 1 is what the FPU does whenever an ucecr is. 
pushed onto the FPU stack... : | 
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Integer Bit: A part of the significand in floating-point formats. In these formats, the 
integer bit is the only part of the significand considered to be to the left of the binary 
point. The integer bit is always one, except in one case: when the exponent is the mini- 
mum (biased exponent: is zero), the integer bit is zero. In the. extended :format the 
integer bit is explicit; in the single format and double format the ee bit is pe 

l.e., is not actually stored in memory. ; | 


Internal Cache: A cache memory on the processor chip. The Intel486 processor has SK 
bytes of internal cache teMmOry: : 


Interrupt: A forced transfer of program control caused by a hardware signal or execution 
of the INT 7 instruction. Interrupt handlers ane By software are piacesree like 
exceptions. 8 Sg 3 


Interrupt Descriptor Table (IDT): An array of gate descriptors for invoking the handlers 
associated with exceptions and interrupts. A handler may be invoked oy a task gate, 
ee pate, or a Bate | 


Interrupt Gate: A gate descriptor used to sanveles an erent handler. An Hfeerunt gate 
is different from a trap gate only in its effect on the IF flag. An interrupt gate clears the 
flag (disables interrupts) for the duration of the handler. | | 


Invalid: Unallocated. Invalid cache lines do not cause ne hits. Valid cache lines have 
been loaded with data and may cause cache hits. | | 


Invalid Operation: The exception condition for the FPU that covers all cases not covered 
by other exceptions. Included are FPU stack overflow and underflow, NaN inputs, illegal 
infinite inputs, out-of-range inputs, and inputs in unsupported formats. 


Label: An identifier used to name places in the source code of a program, so that 
statements can refer to those places. Places named by labels include procedure cnuy: 
points, beginning of blocks of data, and base addresses for descriptor tables. 


LDT: See Local Descriptor Table. 


Linear Address: A 32-bit address into a large, unsegmented address space. If paging is 
enabled, it translates the linear address into a physical address. If paging is not enabled, 7 
the linear address is used as the physical address. 


Local Descriptor Table (LDT): An array of segment descriptors for one program. Each 
_ program may have its own LDT, a program may share its LDT with another program, or. 
a program may have no LDT, in which case, it uses the global descriptor table (GDT). | 


Locked Instructions: Instructions which read and write a destination in memory without 
allowing other devices to become bus masters between the read cycle and the write cycle. 
This mechanism is necessary for supporting reliable communications among multiproces-. 
sors. The mechanism is invoked using the LOCK instruction prefix. ‘Only certain instruc- 
tions may be locked, and only when they have destination operands. in oa one 
uses of the LOCK prefix generate an invalid-opcode exception). | 
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Logical Address: The number used by application programs to reference virtual memory. 
This number consists of two parts: a segment selector (16 bits) and an offset (32 bits). 
The segment selector is used to specify an independent, protected address space (seg- 
ment). The offset is used as an address within that segment. Segmentation translates the 
logical address into a linear address. 


Long Integer: An integer format supported by the FPU that consists of a 64-bit two’s 
complement quantity. 


Long Real: An older.term for the FPU’s 64-bit double format. 


Main Memory: The large memory, external to the processor, used for holding most 
instruction code and data. Generally built from cost-effective DRAM memory chips. 
May be used with the internal cache of the processor and an optional external cache. 


Mantissa: A term used with some non-Intel computers for the significand of a floating- 
point number. | 


Masked: A term that can apply to each of the six FPU exceptions I, D, A, O U, P. An 
exception is masked if a corresponding bit in the FPU control word is set to one. If an 
exception is masked, the FPU will not generate an interrupt when the exception cond- 
tion occurs; it will instead provide its own exception recovery. | 


Memory Management: Support for simplified models of memory; a process consisting of 
address translation and protection checks. There are two forms of memory management, 
segmentation and paging. Segmentation provides protected, independent address spaces 
(segments). Paging provides access to data structures larger than the available memory 
space by keeping them partly in memory and partly on disk. 


Microprocessor: See Processor. | 

Miss: See Cache Miss. 

Mode: (1) One of the FPU status word fields “rounding control” and “‘precision control” 
which programs can set, sense, save, and restore to control the execution of subsequent 
arithmetic operations. (2) See Real-Address Mode, Protected Mode, Virtual-8086 Mode, 
Supervisor Mode, User Mode. 


ModR/M Byte: A byte following an instruction opcode which is used to specify instruc- 
tion operands. | 


MPU: Micro-Processor.Unit. See Processor. 


Multiprocessing: Using more than one processor in a system. The Intel486 processor 
supports two kinds of multiprocessing: coprocessors, which are special-purpose 
performance-enhancing extensions to the architecture and instruction set, and multiple 
general-purpose processors, such as additional Intel486 processors. 
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Multisegmented Model: A memory organization in which different segments are mapped 
to: different ranges of linear addresses. .This organization uses segmentation to protect 
data structures from damage caused by program errors. For example, the stack can be 
kept from growing into memory occupied by instruction code. . | 


- Multitasking: Timesharing a processor among several programs, executing some number 
of instructions from each. The Intel486 processor has instructions ene data structures 
which support multitasking. i 


NaN: An abbreviation for “Not a Number’; a floating-point quantity that does not rep- 
resent any numeric or infinite quantity. NaN’s should be returned by functions that 
encounter serious errors. If created during a sequence of calculations, they are transmit- 
ted to the final answer and can contain information about where the error occurred. 


Near Pointer: A reference to memory without a segment selector; an offset. Used to 
access memory when the segment selector has already been loaded into the PIOceSOn | 
for example when one procedure calls another within the same segment. 


Normal: The representation of a number in a floating-point format in which the one 
cand has an nie ee bit one. Ace! a or uphal)y 


Noimalize eaves a denormal floating-point representation of a number to a normal 
representation. 


Offset: A 16- or 32-bit number which specifies a memory location relative to the base 
address of a segment.. A ‘program’s code segment descriptor specifies whether 16- or 
32-bit offsets are the default. An address-size prefix specifies use of the non-default size. 


Operand: Data in a register or in memory which an instruction reads or writes (or both). 


Operand-Size Prefix: An instruction prefix which selects the sizes of integer operands. 
Operands may be 8- and 16-bit, or they may be 8- and 32-bit. The default operand size is 
specified by the D bit in the descriptor for the code segment which contains the instruc- 
tion. Use of the ee size epics selects the non-default size. 7 


Overflow: A dosti: point exception soutien in mwaich the correct answer is finite, but 
has magnitude too great to be represented in the destination format. This kind of over- 
flow (also called numeric overflow) is not to be confused with stack overflow. 


Packed BCD: Packed Binary Coded Decimal; a format for representing numbers in base 
10. One byte is used for each two digits of the number, with bit positions 0 to 3 specifying 
the value for the less significant digit and bit positions 4 to 7 specifying the value for the 
more significant digit. Packed BCD is one of the data types supported by the FPU. 


Packed Decimal: An integer format supported by the FPU. A packed decimal number is 
a.10-byte quantity, with nine pyscee of 18 ee coded decimal ae and one aye for the 
sign. 
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Page Directory: The first-level page table. The paging hardware of the Intel486 proces- 
sor uses two levels of page tables, where the physical address produced by the first-level 
page table is the base address of the second-level page table. The use of two levels allows 
the second-level tables to be paged to disk. 


Page Directory Base Register (PDBR): A processor register which holds the base address 
of the page directory; same as the CR3 register. Because the contents of the PDBR 
register are loaded from the task state segment (TSS) during a task switch, each task can 
have its own page directory, so each can have a different mapping of virtual pages to 
physical pages. | 


Page: A 4K-byte block of neighboring memory locations; the unit of ey used by 
paging hardware. 


Page Table: A table which maps part of a linear address to a physical address. The 
paging hardware of the Intel486 processor uses two levels of page tables, where the 
physical address produced by the first-level page table is the base address of the second- 
level page table. The use of two levels allows the second-level ao to be eee to disk. 7 


Page Table Entry: A 32-bit data structure in memory used for paging. It neues the 
physical address for a page and the page’s protection information. It is set up by oper- 
ome system software and accessed by paging hardware. 


Paging: A form of memory management used to simulate a large, unsegmented address 
space using a small, fragmented address space and some disk storage. Paging provides 
access to data structures larger than the available memory space by keeping them partly 
in memory and partly on disk. 


PDBR: See ee Directory Base eee, 


Physical Address: The address which appears on the local bus. The Intel486 processor . 
_has a 32-bit physical address, which may be used to address as much as 4 ue of 
meen: | 


Physical Memory: The address space on the local bus; the hardware implementation of 
memory. Memory is addressed as 8-bit bytes, but it is implemented as 32-bit double- 
words which start at addresses which are multiples of four (addresses which are clear in 
their two least significant bits). The Intel486 processor may have up to 4 gigabytes of 
physical memory. | | 


Precision: The effective number of bits in the significand of the floating-point represen- 
tation of a number. , : 


Precision Control: An option, programmed through the FPU control word, that allows 
all FPU arithmetic to be performed with reduced precision. Because no speed advantage 
results from this option, its only use is for strict. een) with IEEE Std 754 and 
with other computer systems. | 
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Precision Exception: An FPU exception condition that results when a calculation does 
not return an exact answer. This exception is usually masked and ignored; it is used only 
in extremely critical applications, when the user must know if the results are exact. The 
precision exceptions is called inexact in IEEE Std 754. : 


Privilege Level: A protection parameter applied to segments and segment selectors. 
There are four privilege levels, ranging from 0 (most privileged) to 3 (least privileged). | 
Level 0 is used for critical system software, such as the operating system. Level 3 is used 
for application programs. Some system software, such as device drivers, may be put in 
intermediate levels 1 and 2. 


Processor: The part of a computer system which executes instructions; also called micro- 
processor, CPU, or MPU. 


Protected Mode: An execution mode i in which tne full 32-bit architecture of the proces- 
sor is available. | 


Protection: A mechanism which can be used to protect the operating system and appli- 
cations from programming errors in applications. Protection can be used to define the 
address spaces accessible to a program, the kind of memory references which may be 
made to those address spaces, and the privilege level required for access. Any violation | 
of these protections generates a general- -protection exception. Protection can be applied 
to Semen. Or pages. 


Pseudo-Descriptor: A 48- bit memory operand eset when a descriptor table base 
register is loaded or stored. nao 


Pseudozero: One of a set of special values of the extended real format. The set: consists 
of numbers with a zero significand and an exponent that is neither all zeros nor all ones. 
Pseudozeros are not created by the FPU but are handled Corre when encountered as 
operands. — : | 


Quadword: A 64-bit operand. The CDQ instruction can be used to convert a doubleword 
to a quadword. A quadword held in the. EDX and EAX eer ters, may be the dividend 
used with a doubleword divisor. 


Quiet NaN: A floating-point NaN in which the most significant bit of the fractional part 
of the significand is one. By convention, these NaN’s can undergo certain operations 
without causing an exception. | 


Re-entrant: Allowing a program to call itself; recursive. For certain kinds of problems, 
such as operations performed on hierarchical data structures, procedures which call 
themselves are simple and efficient solutions. On the Intel486 processor, procedures may 
be re-entrant, however tasks are not. A-task may not call itself because it has only one 
task state segment (TSS) for storing the processor state. Procedures store the pioreser 
state on the stack, so they may be re-entrant to an arbitrary number of levels. 
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Real-Address Mode: An execution mode which provides an emulation of the architecture 
of an 8086 processor; also called ‘real mode.” In this mode the Intel486 processor 
appears as a fast 8086 processor. The architectural extensions for protection and multi- 
tasking are not available in this mode. POnOWINE reset initialization, the Intel486 proces- 
sor begins execution in real mode. 


Real: Any finite value neeatne: Basler Or zero) that can be represented by a (possibly 
infinite) decimal expansion. Reals can be represented as the points of a line marked off 
like a ruler. The term can also refer to a floating-point number that represents a real 
value. 


Requested Privilege Level (RPL): The privilege level applied to a segment selector. If the 
RPL is less privileged than the current privilege level (CPL), access to a segment takes 
place at the RPL level. This keeps privileged software from being used by an application 
to interfere with the operating system or other applications. For example, a privileged 
program which loads memory from disk should not be permitted to overwrite the oper- 
ating system as a result of a call from an application. With RPL, the attempt to access 
the memory space of the operating system takes place with the privleges of the 
appiicauen. | 


Reset: See Initialization. 
RPL: See Requested Privilege Level. 


Segment: An independent, protected address space. A program may have as many as 
16,383 segments, each of which can be up to 4 gigabytes in size. | 


Segment. Descriptor: A 64-bit data structure in memory used for segmentation. It 
includes the base address for a segment, its size (limit), its type, and protection informa- 
tion. It is set up by operating system software and accessed by segmentation hardware. 


Segment-Override Prefix: An instruction prefix which overrides the default segment 
selection. There are six segment-override PINS: one each for the CS, SS, DS, ES, FS, 
and GS segments. | 


Segment Selector: A 16-bit number used to specify an address space (segment). Bit 
position 3 to 15 are used as an index into a descriptor table. Bit position 2 specifies 
whether the global descriptor table (GDT) or local descriptor table (LDT) is used. Bit 
positions 0 and 1 are the requested privilege level (RPL), which may lower the priority of 
access, as an additional protection check. 


Segmentation: A form of memory management used to provide multiple independent, 
protected address spaces. Segmentation aids program debugging by reporting program- 
ming errors when they first occur, rather than when their effects become. apparent. 
Segmentation makes programs provided to the end-user more reliable by limiting the 
damage which can be caused by undetected errors. Segmentation increases the address 
space available to a program by providing up to 16,383 Scemients; each of which can be 
up to 4 gigabytes in size. : 
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Set-Associative: A form of.cache organization in which the location of a data block in 
main memory. constrains, but does not completely determine, its location in the cache. — 
Set-associative organization is a compromise between direct-mapped organization, in 

_ which data from a given address in main memory has only one possible cache location, 
and fully-associative organization, in which data from anywhere in main memory can be 
put anywhere in the cache. An “n-way set-associative” cache allows data from a given 
address in main memory to be cached in any of n locations. Both the Translation Looka- 
side Buffer (TLB) and the integral ¢ cache of the Intel486 pro e have a. four- may 
set-associative organization. le Be | | : 


Short Integer: An integer format supported by the FPU that consists of a 32- bit two’s 
complement quantity. Short niet is not the shortest FPU ween format —the 16-bit 
word Unter is. | | 


Short Real: An older term for the FPU’s 32. bit single format. 


SIB Byte: A byte following an instruction eancoue and modR/M bytes which - is used to 
specify a scale factor, index, and base register. , 


Sign Extension: Gaaveion of data to a larger format, where empty bit positions are 
filled with the value of the sign. This form of conversion preserves the value of signed 
integers. See Zero Extension. 


Signaling NaN: A floating-point NaN that causes an invalid-operation exception when- 
ever it enters into a calculation or comparison, even an unordered comparison. 


Significand: The part of a floating-point number that consists of the most significant 
nonzero bits of the number, if the number were written out in an unlimited binary 
format. The significand is composed of an integer bit and a fraction. The integer bit is 
implicit in the single format and double format. The significand is considered to have a 
binary point after the integer bit; the Cen point is then moved according to the value 
of the exponent, 


Single Extended: A flbatine? soit foumat ‘eGuited By the: IEEE Std 754, that saea des 
greater precision than single; it also provides an explicit integer bit in the significand. 
The FPU’s extended format meets the sure extended roquirement as well as the double 
extended bequircmient | ; | 


Single Format: A floating- point format supported By the FPU, which consists of a sign, 
an 8-bit biased exponent, an implicit integer bit, and a 23- bit t significand — a total of 32 
explicit bits. 7 ! 


Stack Fault; A special case of the invalid-operation exception which is indicated by a one 
in the SF bit of the status word. This condition usually rosuils from stack underflow or 
overflow in the FPU. : | : | | 


Stack Frame: The space used on the stack by a procedure.. The stack frame includes 


parameters, return addresses, saved registers, temporary StOEeC and any other ohoce 
Space the procedure uses. | | 24 | 
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Stack Segment: A data segment which is used to hold a stack. A stack segment may be 
expand-down, which allows the segment to be resized toward lower address. The type of 
information held:in a segment is specified in its segment descriptor. 


Status Word: A 16-bit FPU register that can be manually set, but which is usually con- 
trolled by side effects to FPU instructions. It contains condition codes, the FPU stack 
pointer, busy and interrupt bits, and exception flags. 


String: A sequence of bytes, word, or doublewords which may start at any byte address in 
memory. The Intel486 processor has instructions for efficient operations on strings. 


Supervisor Mode: The privilege level applied to operating system pages. Paging only 
recognizes two privilege levels: supervisor mode and user mode. A program executing 
from a segment at privilege level 0, 1, 2 is in supervisor mode. 


Table: An array of recone in memory having equal size. 


Tag Word: A 16-bit FPU register that it automatically maintained by the FPU. For each 
space in the FPU stack, it tells if the space is i by a number; if.so, it gives 
information about what kind of number. . 


Tag Word: A 16-bit FPU register that it automatically maintained by the FPU. For cach 
space in the FPU stack, it tells. if the space is occupied by a number; if so, it gives 
information about what kind of number. 


Tag: The part of a cache line which holds the address information used to determine if a 
memory operation is a hit or a miss on that cache line. 


Task Register: A register which holds a segment selector for the current task. The selec- 
tor references a task state segment (TSS). Like the segment registers, the TR register 
has a visible part and an invisible part. The visible part holds the segment selector, and 
the invisible part holds information cached from the segment descriptor for the TSS. 


Task State Segment (TSS): A segment used to store the processor state during a task 
switch. If a separate I/O address space is used, the TSS holds permission bits which 
control access to the I/O space. Operating systems may define additional structures 
which exist in the TSS. | 


Task Switch: A deensies of execution eewieen tasks; a context switch. Unlike the proce- 
dure calls, which save only the contents of the general registers, a task switch saves most 
of the processor state. For example, the registers used for address translation are 
reloaded, so that each task can have a different logical-to-physical address mapping. 
Task: A program running, or waiting to run, in a multitasking system. 


Temporary Real: An older term for the FPU’s 80-bit extended format. 


Tiny: Of or pertaining to a floating-point number that is so close to zero that its expo- 
nent is smaller than smallest exponent that can be represented in the destination format. 
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TLB:: See Pen EOOKGSIAG ee 


Top: The dace: bit field of the status woud that adibaias which FPU ey is aie 
Current top of oS. | 


Transcendental: One of a class of functions for which polynomial formulas are always 
appropriate, never exact for more than isolated values. The FPU supports trigonometric, 
exponential, and logarithmic functions; all are transcendental. 


Translation Lookaside Buffer (TLB): The on-chip cache for page table entries. In typical 
systems, about 99% of the references to page table entries can be Salishea by informa- 
tion in the TLB. as | . Sas 7 


Trap: An exception which i iS pared at the instruction sonaden immediately following 
the instruction which generated the exception. | e 


Trap Gate: A gate descriptor used to invoke an exception handler. A trap gate is differ- 
ent from an ‘interrupt gate only in its effect on the IF flag. Unlike an interrupt gate, 
which clears the flag (disables interrupts) for the duration’ of the handler, a trap gate 
leaves the flag unchanged. _ 


TSS: See Task State Segment.’ 


Two’s Complement: A method of representing integers. If the uppermost bit is zero, the 
number is considered positive, with the value given by the rest of the bits. If the upper- 
most bit is one, the number is negative, with the value obtained by subtracting Qe eouns) 
from all the given bits. For example, the, & bit number 11111100 is —4, obtained 
subtracting 2° from 252. _ | | | 


Unbiased Biaqionent: The ade value that tells how far and in which direction to move the 
binary point of the significand of a floating-point number. For example, if a single- 
format exponent is 131, we subtract the Bias 127 to obtain the unbiased exponent + 4. 
Thus, the real number being nepresented is the significand with the binary point shifted 
4 bits to. the right. , Om 4 - | ) | 


Underflow: An exception condition in which the correct answer is nonzero, but has a 
magnitude too small to be represented as a normal number in the destination floating- 
point format: IEEE Std 754 specifies that an attempt be made to represent the number 
asa denormal. This. denormalization: may result in a loss of significant bits from the 
significand.: This kind. of underflow (also called numeric overflow) is not be confused 
with stack overflow. 


Unmasked: A term that can-apply to each of the six FPU exceptions: I, D, Z, O, U, P. 
An exception is unmasked if a corresponding bit in the FPU control word is set to zero. 
If an exception is unmasked, the FPU will generate an interrupt whent he exception 
condition” occurs. vu) can provide a an veer routine that customizes yout Seon 
recovery. | : 7 | 7 
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Unnormal: An extended real representation in which the explicit integer bit of the sig- 
nificand is zero and the exponent is nonzero. Unnormal values are not supported by the 
FPU. This includes several formats that are recognized by the 8087 and 287 coproces- 
sors; they cause the invalid-operation exception when encountered as operands. . 


Unsupported Format: Any number representation that is not recognized by the FPU. 
This includes several formats that are recognized by the 8087 and 287 coprocessors; 
namely: pseudo-NaN, pseudoinfinity, and unnormal. 


USE16: An assembly language directive for specie 16-bit code and data segments. 
USE32: An assembly language directive for specifying 32-bit code and data segments. 


User Mode: The privilege level applied to application pages. Paging only recognizes two 
privilege levels: supervisor mode and user mode. A program executing from a segment at 
privilege level 3 is in user mode. 


V86 Mode: See Virtual-8086 Mode. 


Valid: Allocated. Valid cache lines have been loaded with data and may cause cache hits. 
Invalid cache lines do not cause cache hits. 


Vector: A number used to identify the source of an exception or interrupt. A vector Is 
used to index into the IDT table for a gate descriptor. The gate descriptor is used to call 
the handler for the exception or interrupt. 


Virtual Memory: The memory model for application programs; a simplified organization 
for memory supported by memory management hardware and operating system soft- 
ware. On the Intel486 processor, virtual memory is supported by segmentation and pag- 
ing. Segmentation is a mechanism for providing multiple independent, protected address 
spaces. Paging is a mechanism for providing access to data structures larger than physical 
memory by keeping them partly in memory and partly on disk. 


Virtual-8086 Mode: An execution mode which provides an emulation of the architecture 
of an 8086 processor. Unlike real-address mode, virtual-8086 mode is compatible with 
multitasking; a protected mode operating system may be used to run a mix of protected 
mode and virtual-8086 mode tasks. 


Word: A 16-bit quantity of memory. The Intel486 processor allows 16-bit words to begin 
at any byte address, but a performance penalty is taken when a word crosses the bound- 
ary between two doublewords in physical memory. 


Word Integer: An integer format supported by the Intel486 processor that consists of a 
16-bit two’s complement quantity. 


Write-Back: A form of caching in which memory writes load only the cache memory. 
Data propagates to main memory when a write-back operation is invoked. 
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Write-Through: A form of anise in which ane mOny writes load both the cache PREMONY 
and main mmolys | , Ss 


Zero Divide: An exception condition in aac floating: Aout inputs are satriites but the 
correct answer, even with an unlimited exponent, has infinite magnitude. 


Zero Extension: Conversion of. aac to.a larger format, where empty bit positions are 


filled with zero. This form of conversion preserves the value of unsigned integers. See 
Sign Extension. 
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AAA (ASCII adjust AL after addition), flag 
cross-reference, B-1 
instruction description, 3-10 
instruction format and timing, E-10 
instruction specification, 26-18 
one-byte opcode map, A-4 
status flag summary, C-1 
AAD (ASCII adjust AX before division), 
flag cross-reference, B-1 
instruction description, 3-11 
instruction format and timing, E-11 
instruction specification, 26-19 
one-byte opcode map, A-4 
-Status flag summary, C-1 
AAM (ASCII adjust AX after multiplication), 
flag cross-reference, B-1 
instruction description, 3-11 
instruction format and timing, E-10 
instruction specification, 26-20 » 
one-byte opcode map, A-4 
.  $tatus flag summary, C-1 
AAS (ASCII adjust AL after. subtraction), 
flag cross-reference, B-1 
instruction description, 3-11 
instruction format and timing, E-10 
instruction specification, 26-21 
one-byte opcode map, A-4, A-5 
status flag summary, C-1 
aborts, | 
exception conditions, 9-13. _ 
exception description, 9-2 
exception processor-detected, 9-1 
absolute address, and JMP instruction, 3-24 
AC flag (alignment check mode —bit 18), | 
system flag description, 4-2 
accessed bit, 
page table entries, 5-21 
segment register loading, 3-39 
ADC (add integers with carry), 
flag cross-reference, B-1 
instruction description, 3-7 
instruction specification, 26-22 
modR/M byte opcodes, A-8 
one-byte opcode map, A-4 
status flag summary, C-1 
ADD (add integers), 
flag cross-reference, B-1 
instruction description, 3-7 
instruction specification, 26-24 
modR/M byte opcodes, A-8 
one-byte opcode map, A-4 
status flag summary, C-1 


address-size prefix, instruction format, 2-16 
addressable domain, restrictions to, 6-23 
addressing-mode, 

FPU architecture, 19-1 

instruction specifier, 2-16 
AF (auxiliary carry flag), status flag, 2-14 
AH (8-bit general register), 

and AAA instruction, 3-10 

and AAD instruction, 3-11 

and AAM instruction, 3-11 

and AAS instruction, 3-11 

register description, 2-8 
AHOLD input, and self test, 10- 1 
AL (8-bit general register), 

and AAA instruction, 3-10 

and AAD instruction, 3-11 

and AAM instruction, 3-11 

and AAS instruction, 3-11 _ 

and binary arithmetic instructions, 3- 6° 

and CBW instruction, 3-6 

and CMPXCHG instruction, 3- 43 

and DAA instruction, 3-10 

and DIV instruction, 3-9 

and immediate operands, 2-18 

and LODS instruction, 3-30: 

and MOV instruction, 3-2 

and MUL instruction, 3-8 

and SCAS instruction, 3-29 

and STOS instruction, 3-30 

and XLATB instruction, 3-42 

register description, 2-8 
alignment, 7 

and LOCK prefix, 13-2 

and pseudo-locking, 13-3 

of data type addresses, 2-4 
alignment-check exception, 

and AC flag, 4-2 

and Intel486 processor, 2-24 | 
alignment-check fault, Interrupt 17. (ienrnent 

check), 9-23 

AM bit (alignment mask — bit 18), system 

control flag, 4-7 
ANaN indefinite, and stack exception, 16-20 
AND (logical and), 

flag cross-reference, B-1 

instruction description, 3-12 

instruction specification, 26-26 

modR/M byte opcodes, A-8 

one-byte opcode map, A-4 

status flag summary, C-2 
architecture, Intel486 Floating Point Unit 

(FPU), iss 
arithmetic instructions, 

and EFLAGS register, 2-13. 

and immediate operands, 2-18 » 

and nonarithmentic instructions, 16-2 
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ARPL (adjust RPL field of selector), 
flag cross-reference, B-1 
instruction format and timing, E-12 
instruction specification, 26-27 
one-byte opcode map, A-4 
pointer integrity, 6-22 ) 
ASM386/486 assembler, e 
and FPU numeric aplication 18- 7 
and FPU register addressing modes, 15-1 
and Intel486 Floating Point Unit. (FPU), 
| 14-6 
automatic exception handling, numeric 
exceptions, 16-18 
automatic locking, and LOCK#, 13. D3 
AVL field, I/O addressing, 8-1... ° 
AX (16- bit general register), 3 
and CMPXCHG instruction, 3- sae , 
and CWD instruction, 3-4 «ss 
and CWDE instruction, 3-6. 
and DIV instruction, 3-9 = 
and MUL instruction, 3-8 » 
and SCAS instruction, 3-29 
and.STOS instruction, 3-30 
register description, a 8 


B bit, and Intel 8087 compatibility 15: 2. 
base, 
effective-address computation, . 22. 
segment descriptors, 5-10 
base address, 
and effective address, 2- 21 | 
and segment descriptor, 2-2 | 
and segment descriptors, 5-10 | 
and segmented address: space, 2. 3 
BCD (binary coded decimal), data type, 2- 6 
benign exceptions, and Interrupt 8 (courre 
fault), 9-16 
BH (8-bit general register), register 
description, 2-8. 
bidirectional port, and input/output, 8- 1 
binary arithmetic instructions, and application 
programming, 3-6. 
binary integers, FPU. data type, 45: 11 
bit block transfer, and double-shift — 
instructions, 3-19 7 
bit field, data type, 2-6 
bit: string, data: type, 2-6. 
BL (8-bit general a: register : 
description, 2-8 
block I/O instructions, 
INS (input string from port), 8 ae 
OUTS (output string from port), g- 6 
block-structured language, 
instructions, 3-30 |: 
lexical level, 3-32 | 
Boolean expressions, and byte- -set-on- n-condition 
instructions, 3-22 — 
BOUND (check array index against bounds), 
flag cross-reference, B-1. | 
general description, 3-27 | 
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instruction format and timing, E-13 
instruction specification, 26-29 
one-byte opcode map, A-4 
bounds- check exception, and Intel486 
"processor, ‘2-23 » 
bounds-check fault, Interrupt 5 (bounds 
check), 9-15 
BP (16-bit general. register), register 
description, 2-8 , 
breakpoint exception, 
debugging support, 11-1. 
and Intel486 processor, 2- 23 
breakpoint instruction, debugging support, 
breakpoint trap, Interrupt 3 (breakpoint — 
instruction), 9-14, 11-9 
breakpoints, and debug registers, 4-8, 11 = 
BSF (bit scan forward), : 
flag cross-reference, B-1 
, instruction: description, 3-12 
instruction format and timing, E-9 © 
instruction specification, 26-31. 
status flag summary, C-2 , 
two-byte opcode map, a BSR i scan 
reverse), 
flag cross- reference, B-1 
instruction | description, 3-12 
instruction format and timing, E-9.. 
instruction specification, 26-33. 
status flag summary, C-2. 
two-byte opcode map, A- 7 
BSWAP (byte swap), 
flag cross-reference, B-1 
instruction description, 3-46 
instruction format and timing, E-6. 
instruction specification, 26-35 | 
two-byte opcode map, A-7 
BT (bit test), 
flag cross- -reference, B- i 
instruction description, 3-12. 
instruction format and timing, E-9 
instruction specification, 26-36 
modR/M byte opcodes, A-8 
status flag summary, C-3 - 
two-byte opcode map, A-6 © 
BTC (bit test and complement), 
flag cross-reference, B-1 
instruction description, 3-12: 
instruction specification, 26-38 
status flag summary, C-3 | 
two-byte opcode map, A-7 
BTR (bit test and reset), 
flag cross-reference, B-1 
instruction description, 3-12 — 
instruction specification, 26-40 
.modR/M byte opcodes, A-8 
status flag summary, C-3 . 
two-byte opcode map, A-6. 
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BTS (bit test and set), 
flag cross-reference, B-1 
instruction description, 3-12 
instruction specification, 26-42 
modR/M byte opcodes, A-8 

_ Status flag summary, C-3 

two-byte opcode map, A-7 

bus masters, — 
and LOCK prefix, 13-2 
and processor communication, 13-1 

busy bit, 
and re-entrant task wichie 7-12 
and TSS descriptor, 7-3 

BX (16-bit general register), register 

description, 2-8 
byte, data type, 2-3 


C programs, and FPU numeric applications, 
1 


re and FPU numeric applications, 
ae 
associative memories and tag, 12- 1 
consistency and multiprocessing systems, 


consistency and multiprocessor systems, 
control bits and page table entries, 5-22 
disabling bits and internal cache, 12-2 
external cache, 12-1 
hit and associative memory tag, 12-1 
initialization testing, 10-10 
internal cache, 12-1 
line fill and cache lines, 12-2 
lines and internal cache, 12-1 
miss and associative memory tag, 12-1 
structure, 10-10 
test operations, 10-13 
test registers, 10-12 
- cache management, 
instructions (system programming), 4-9 
INVD (invalidate cache), 12-3 
PCD bits (page-level cache disable), 12-4 
WBINVD (write-back and invalidate 
cache), 12-3 | 
caching, 
and I/O data, 8-4 | 
and page-level management, 12-3 
and write-back, 12-2 
and write-through, 12-2 
enable and initialize, 10-4. 
CALL (call procedure), 
flag cross-reference, B-1 
general description, 3-24 — 
instruction format and timing, E-7, E- 8 
instruction specification, 26-44 
modR/M byte opcodes, A-8 
one-byte opcode map, A-4, A-5_ 
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call gates, and control transfers, 6-11 
carry flag instructions, and CF flag, 3-37 
CBW (convert byte to word), 


flag cross-reference, B-1 

instruction description, 3-6 
instruction format and timing, E-6 | 
instruction specification, 26-51 | 
one-byte opcode map, A-4, A-5 


CD bit (cache disable — bit 30), system control 


flag, 4-6 


8, 
CDQ (convert doubleword to quadword); 


instruction description, 3-4 
instruction specification, 26-64 


CF (carry flag), status flag, 2-14 
CF 


flag, 

and binary arithmetic instructions, 3-6 
and carry flag instructions, 3-37 

and DEC instruction, 3-6 

and INC instruction, 3-6 


CH (8-bit general register), register 


description, 2-8 


CL (8-bit general register), 


and shift instructions, 3-13 
register description, 2-8 


CLC (clear carry flag), 


flag cross-reference, B-1 
instruction format and timing, E-10 
instruction specification, 26-52 
one-byte opcode map, A-5 


CLD (clear direction flag), 


flag cross-reference, B-1 
instruction format and timing, E-10 
instruction specification, 26-53 
one-byte opcode map, A-5 


CLI (clear interrupt-enable flag), 


and INTR interrupts, 9-3 

flag cross-reference, B-1 
instruction format and timing, E- 10 
instruction specification, 26-54 
one-byte opcode map, A-5 
sensitive instructions, 8-6 


CLTS (clear task-switched flag in CRO), 


flag cross-reference, B-1 
instruction format and timing, E-11 
instruction specification, 26-55 
privileged instruction, 6-19 
two-byte opcode map, A-6 


CMC (complement carry flag), . 


flag cross-reference, B-1 
instruction format and timing, E-10 
instruction specification, 26-56 
one-byte opcode map, A-4 


CMP (compare two operands), 


flag cross-reference, B-1 
instruction description, 3-8 
instruction format and timing, E-4 
instruction specification, 26-57 
modR/M byte opcodes, A-8 
one-byte opcode map, A-4, A-5 
status flag summary, C-2. 
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CMPS (compare strings), 
flag cross-reference, B-1 
instruction description, 3-29 
instruction format and timing, E-9 
instruction specification, 26-59) 
status flag summary, C- 2 
CMPSB (compare bytes), 
instruction specification, 26-59 
one-byte opcode map, A-4 
CMPSD (compare doublewords), 
instruction specification, 26-59. 
one-byte opcode map, A-4 | 
(CMPSW (compare words), 
instruction specification, 26-59 
one-byte opcode map, A-4 
CMPXCHG (compare and exchange), 
flag cross-reference, B-1 
instruction description, 3- 48 
instruction format and timing, E- 6 
instruction specification, 26-62 
status flag summary, C-2: 
two-byte opcode map, A- 6 
code segments, 7 
and CS register, 2-11 
and data access, 6-8 | 
and segment descriptors, 513. 
comparison instructions, floating- -point - 
instructions, 17-4 
compatibility, | 
Intel486 Floating Point alt (FPU), 14- 1 
initialization, 10-1 
as na DX processor differences, 


Intel 286/Intel287 processor differences, 


Intel 8086/8087 processor differences, 25-10 
concurrent processing, IU and FPU, 18-12 
condition codes, and EFLAGS. register, 2-13 


conditional branching example, numeric | 
programming, 20-1 


_ conforming segment, and control transfer 
restrictions, 6-9 © : 

constant instructions, floating. -point 
instructions, ge 6 : 


contributory exceptions, and. paterrap 8 
(double fault), 9-16 | 


control instructions, floating-point instructions, 


control registers, of Intel486 processor, 2- 8. 
control transfers, | | 

and call gates, 6-11 

and gate descriptors, 6-11. 

instructions and application programming, 


restrictions to, 6-9 
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coprocessor-not-available exception, and EM _ 
control flag, 4-7. , 
coprocessor-segment overrun abort, Interrupt 
9 (Intel reserved), 9-17 . 
copy-on-write strategy, and user- -mode write 
protect, 6-24 m4 
CPL (current privilege level), : 
and control transfer restrictions, 6-9. 
and CS segment register, 6- -6 
and data access restrictions, 6-7: - 
CRO (system control tenet 
and AC flag, 4-2 : 
and paging, 2-2, 5-2 . 
and PG bit, 5- 18. 
register description, 4-5 
CR1 (system control register), register 
description, 4-5 
CR2 (system control register), register. ; 
description, 4-5 : 
CR3 (system control register), 
and page frame address, 5- 18 be 
and page-directory register Sees 46 : é 
register description, 4-5 . | 
CS (segment register), 
_ and code segment, 2-11 
and CPL (current privilege level), 6- 6 
and far control transfer instructions, 3-40 
register description, 2-10 | 
CWD (convert word .to doubleword), ws, 
flag cross-reference, B-l1 |. 
instruction description, 3-4 it 288 Ge 
instruction format and timing, E- 6 od 
instruction specification, 26-64 
one-byte opcode map, A-4, A-5 | 
CWDE (convert word: to doubleword 
extended), : 
instruction description, 3-6 
instruction specification, 26-51 
CX (16-bit general register). register 
description, 2-8 


D bit, segment seecuinions 5-12 — 

DAA (decimal adjust AL after addition), 
flag cross-reference, B-1: 
instruction description, 3-10 
instruction format and timing, E-11 
instruction specification, 26-65 
one-byte opcode map, A- a | 
status flag summary, C-1_ | 

DAS (decimal adjust AL aie subtraction), 
flag cross-reference, B-1 _ 
instruction description, 3-10 
instruction format and timing, E-11 °° 
instruction specification, 26-66 ~~ 
one-byte opcode map, A-4,A-5. 
status flag summary, C- t | See. 

data access, eer 
code segments shared fai o 8 | 
restrictions to, 6-7... Saeae 
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data bus, and doubleword transfers, 2-6 
data movement instructions, : 
and application programming, 3-1 
and LOCK prefix, 13-2 a 
data segment, 
and DS register, 2-11 
and ES register, 2-11 
and FS register, 2-11 
and GS register, 2-11 
and segment descriptor, 5-13 
descriptor and writable bit, 6-3 
data transfer instructions, floating point 
instructions, 17-2 
data type, 
BCD, 2-6 
bit field, 2-6 
bit string, 2-6 
byte, 2-3 
doubleword, 2-4 
far pointer, 2-6 
floating-point, 2-6 
integer, 2-6 
near pointer, 2-6 
ordinal, 2-6 
packed BCD, 2-6 | 
string, 2-6 
word, 2-3 
data type encoding, and unsupported formats, 
data types and formats, Intel486 Floating 
Point Processor (FPU), 15-9 
data-breakpoint trap, Interrupt 1 (debug 
exceptions), 9-14, 11-6 
debug address registers (DRO-DR3), 
debugging support, 11-1 
for breakpoint linear address, 11- 2 
debug control register (DR7), 
debugging support, 11-1 
for breakpoint memory access, 11-2 
debug exception, . 
and Intel486 processor, 2-23 
and RF flag, 4-3, 9-4 
and TF flag, 4-3 
debug interrupt vector, debugging support, 
debug’ status register (DR6), 
conditions sampled, 11-4 
debugging support, 11-1 
debugging, 
Intel486 processor facilities, 1 1 
instructions for system programming, 4-9 
DEC (decrement by one), 
and CF flag, 3-6 
flag cross-reference, B-1 
instruction description, 3-8 
instruction specification, 26-67 
modR/M byte opcodes, A-8 
one-byte opcode map, A-4, A-S. - 
status flag summary, C-2_ . 
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decimal arithmetic instructions, and 
application programming, 3-10 

decimal integers, FPU data type, 15-12 

default segment, assignment of, 2-19 

defining data, ASM386/486, 18-4 

demand-paged virtual memory, and paging, 5-2 

denormal real numbers, FPU data formats, 


denormal-operand exception, 
denormal operand, 16-22 
numeric exceptions, 16-17. 
pseudodenormal numbers, 16-13 
descriptor table addressing, instructions 
(system programming), 4-9. 
descriptor table base registers, 
GDTR register, 5-16 
IDTR register, 5-16 
segment descriptors, 5-16 
descriptor validation, 
VERR (verify for read), 6-21 
VERW (verify for write), 6-21 
destination operand, 
for binary arithmentic instructions, 3: 6 
for floating-point instructions, 17-1 __ 
for two-operand instructions, 2-17 
device drivers, and privilege levels, 6-6 _ 
device-not-available fault, 
~ and Intel486 processor, 2-23 
Interrupt 7 (device not available), 2 15 
DF (direction flag), 
direction flag control instructions, 3- 37 
EFLAGS register, 2-13 | 
DH (8-bit general register), register 
description, 2-8 
DI (16-bit general register), register 
description, 2-8 
direct load instructions, and segment registers, 


directed rounding, FPU rounding control, 


direction flag control instructions, and DF 
flag, 3-37 


dirty bits, and page table entries, 5-21 


displacement, - 
effective address, 2-21 
instruction format, 2-16 
display, stack frame pointer set, 3-30 
DIV (unsigned divide), | 
flag cross-reference, B-1 
general description and flags, 3-9 
instruction format and timing, E-5 . 
instruction specification, 26-68 
modR/M byte opcodes, A-8 
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divide-by-zero, numeric exceptions, 16-17 : 
divide-error exception, and Intel486 PIOCeSOr 
2723. 
divide-error fault, Interrupt 0 (divide error), 
division by zero, and Zero- divide exception, 
16-21 
DL (8-bit peneial register), register 
description, 2-8 
double real, numeric data type, i 6 
double-shift instructions, 
and bit block transfer, 3-19 
and string insertion/extraction, 3- 19 
doubleword, 
— data type, 2-400 
databus transfere 26 | 
DPL (descriptor privilege level), : 
and control transfer restrictions, 6-9 - . 
and data access restrictions, 6-7 .. 
and segment descriptors, 6-6 
and segment privilege level, 5- 14 
DS (segment register), 
and application program, 2-12 
and data segment, 2-11) 
register description, 2-10 . 
DX (16-bit general register), 
and CWD instruction, 3-4. 
register description, 2-8 


dynamic storage, and ENTER instruction, 3 30 


E bit (expansion direction bit), and Semen 
_ descriptor, 6-4 
EAX (32-bit general register), 
and binary arithmetic instructions, 3. 6 
and CDQ instruction, 3-4 
and CMPXCHG instruction, 3-43 _ 
and CWDE instruction, 3-6 © 
and DIV instruction, 3- ie 
and immediate operands, 2-18 
and IMUL instruction, 3-8 | 
and LODS instruction, 3-30 | 
-and MOV instruction, 3-2 
and MUL instruction, 3-8 
and PUSHA instruction, 3-3 
and SCAS instruction, 3-29 
and STOS instruction, 3-30 
register description, 2-8 | 
EBP (32-bit general register), 
and ENTER instruction; 3-31 
~ and LEAVE instruction, 3-35 
and PUSHA instruction, 3-3 
register description, 2-8 
EBX (32-bit general register), 
and LEA instruction, 3-41 
and PUSHA instruction, 3-3 __ 
and XLATB instruction, - 42 
register description, 2-8" 
ECX (32-bit general register), - 
and JECXZ instruction, 3-26 . 
and loop instructions, 3-25. 
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and LOOPE instruction, 3-26 - 

and LOOPNE instruction, 3-26 

and LOOPNZ instruction, 3-26: . 

and LOOPZ instruction, 3-26 | 

and MOVS instruction, 3-29 

and PUSHA instruction, 3-3 | 

and three-operand instructions, 2-18 

register description, 2-8 3 
EDI (32-bit general register), . » 

and LEA instruction, 3-41 

and MOVS instruction, 3-29 

and PUSHA instruction, 3-3 © 

and STOS instruction, 3-30. 

for string destination operand, 3- 29 

register description, 2-8 
EDX (32-bit general register), 

and CDQ instruction, 3-4» 

and IMUL instruction, 3-8 

and PUSHA instruction, 3-3 — 

register description, 2-8 
effective address, components of, 2-21 
EFLAGS register, 

AC flag once check mode — bit 18), 


and aces instructions, 2- 13. 
and condition codes, 2-13 
and conditional transfer instructions, 3- 4 
and DF (direction flag), 2-13 _ is 
and flag control instructions, 3- 35 
and I/O protection, 8-6 
and IRET instruction, 3- 24 
and mode bits, 2-13. 
and string instructions, 2-13. 
and system programming, 4-2 
as register operand, 2-19 | 
IF flag (interrupt-enable flag — bit 9), 4-3. 
IOPL esi (1/O privilege level — bits 12 and 
13), 4-3 
NT flag (nested task — bit 14), 4- 3 
RF flag (resume flag—bit 16), 4-3 
TF flag (trap flag—bit 8),4-3 
VM flag (virtual-8086 mode — bit 1) 4-3 
EIP register, | 
and CALL instruction, 3- 24 
and conditional jump instructions, 3- 25 
and current code segment, 2-14. | 
and instruction prefetching, 2-15 
and RET instruction, 3-24 © : 
EM bit (emulate coprocessor), numerics. 
environment configuration, 19-2 
EM pens bit 2), system, control flag, : 
Ae] ' 


ENTER (make stack frame for proceilure), 
flag cross-reference,-B-1 | 
general description, 3-30. a: 
instruction format and timing,,E-8 
instruction specification, 26-70. 
one-byte opcode map, A-S 
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ERROR#, and NE oe flag, 4-7 
error codes, 
and exception nandieg 9-13 
summary of, 9-24 
ES register, 
and application program, 2-12 
and data segment, 2-11 
segment register, 2-10 
ESCAPE instructions, and Intel486 Floating 
Point Unit (FPU), 14-5 . 
ESI (32-bit general register), 
and LEA instruction, 3-41 
and LODS instruction, 3-30 
and MOVS instruction, 3-29 
and PUSHA instruction, 3-3 
for string source operand, 3-29: 
register description, 2-8 
ESP (32-bit general register), 
and ENTER instruction, 3-31 
and LEAVE instruction, 3-35 
and POP instruction, 3-3 
and POPA instruction, 3-4 
and PUSH instruction, 3-2 
and PUSHA instruction, 3-3 
and RET instruction, 3-24 
register description; 2-8 7 
ET (extension type —bit 4), System etal 
flag, 4-7 
exact arithmetic, and Intel486 Floating Point 
Unit (FPU), 14-4 
exception handling example, r numeric 
programming, 20-1 | i 
exception vector, identifying number, 9- 1 
exceptions, 
alignment-check exception, 2-24 
and instruction prefetching, 2-15 
and instruction restart, 9-2 
and page mapping, 2-2 
and task switching, 7-1 
and trap gates, 6-11 
bounds-check exception, 2-23 
breakpoint exception, 2-23 
conditions causing, 9-13 
debug exception, 2-23. 
description of, 2-23 
device-not-available exception, 2-23 
divide-error exception, 2-23. 
for basic programming model, 2-23 
FPU simultaneous response, 19-4 
in real-address mode, 22-2, 22-5 
overflow exception, 2-23 
processing priority, 9-5, 16-26 
processor-detected, 9-1 — , 
programmed software morules 9- 1 7 
summary of, 9-24 ‘4 
synchronization, 18-13, 18-14. — 


INDEX 


executable-segment descriptor, readable bit, 
explicit operand, 

description of, 2- i. 

in memory, 2- 19 
extended format, and Intel486 Floats Point 

Unit (FPU), 14-6 | 

extended real, numeric data type, 3-38, 14-6 
external bus, and I/O instruction execution, 
external cache, 

Intel486 processor, 12-1. 

and write-back cache, 12-2 | 

and write-through cache, 12-2 


F2XM1 (computer 2x- 1), 
condition code interpretation, 15- 4 7 
instruction format and timing, E-19 
instruction specification, 26-72. 
numeric exception summary, F-1 
FABS (absolute value), 
condition code interpretation, 15- ere 
instruction format and timing, E-19 
instruction specification, 26-74 
numeric <aCeRUOn summany: F-1 
FADD (add),. 
condition code interpretation, 15-4 
instruction format and timing, E- 17 : 
instruction specification, 26-75: 
numeric exception summary, F- 1 
FADDP (add), 
instruction format and timing, E-17. . 
instruction specification, 26-75 
numeric exception summary, F-1 
Far CALL, general description., 3-40 
far form, RET (return from procedure), 6- 17 
far pointer, data type, 2-6 a 
Far RET, general description, 3-40 ay 
far transfer, and unconditional transfer 
instructions, 3-23 
faults, 
exception conditions, 9-13 
exception description, 9-2 
processor-detected exception, 9-1 
FBLD (load binary coded decimal), 
condition code interpretation, 15-4 — | 
instruction format and timing, E-16 
instruction specification, 26-77 
numeric exception summary, F-1 | 
FBSTP (store binary coded decimal and pop), 
condition code interpretation, 15-4 
instruction format and timing, E-16 
instruction specification, 26-79 
numeric exception summary, F-1 © 


-FCHS (change sign), 


condition code interpretation, 15-4 

instruction format and timing, E-19 
instruction specification, 26-80 
numeric exception summary, F-1 ~~ 
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FCLEX (clear exceptions), 
condition code interpretation, 15-4 
instruction format and timing, E-19 
instruction specification, 26-81 
numeric exception summary, F- 1 
FCOM (compare real), : 
condition code interpretation, 15-4 
instruction format and timing, E-16 
instruction specification, 26-82 
numeric exception summary, F-1 
FCOMP (compare real), 
condition code interpretation, 15-4 | 
instruction format and timing, E-16 
instruction specification, 26-82. 
numeric exception summary, F-1 
FCOMPP (compare real), 
condition code interpretation, 15-4 
instruction format and timing, E-17 
instruction specification, 26-82 
numeric exception sununaty: F-1 
FCOS (cosine), 
condition code interpretation, 15- 4 
instruction format and timing, E-19 
instruction specification, 26-84 
numeric exception summary, F-1 
FDECSTP (decrement stack-top pointer), 
instruction format and timing, E-20 — 
instruction specification, 26-86 
numeric exception summary, F-1 
FDIV (divide), 
condition code interpretation, 15- 4 
instruction format and timing, E-18: 
instruction specification, 26-87 
numeric exception summary, F-1 
FDIVP (divide), | 
instruction format and timing, E. 1s. 
instruction specification, 26-87 
numeric exception summary, F-1 
FDIVPR (reverse divide), 
instruction format and timing, E-18 
instruction specification, 26-89 
numeric exception summary, F-1_ 
FDIVR (reverse divide), 
condition code interpretation, 15-4 
instruction format and timing, E-18 
instruction specification, 26-89 
numeric exception summary, F-1 
FERR#, 
and NE control flag, 4-7 , 
and software exception handling, 16- 19 
FFREE (free floating-point register), 
instruction format and timing, E-20 
instruction specification, 26-91 
numeric exception summary, F- 1 
FIADD (add), 
instruction format and timing, E-18 
instruction specification, 26-75 
numeric exception. summary, F-1 
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FICOM (compare integer), 
condition code interpretation, 15- 4 
instruction format and timing, E-17 
instruction specification, 26-92 
numeric exception summary, F-1 
FICOMP (compare integer), 
condition code interpretation, 15- 4 
instruction format and timing, E-17 
instruction specification, 26-92 
numeric exception summary, F-1 
FIDIV (divide), | - 
instruction format and timing, E-18 
instruction specification, 26-87 © 
numeric exception summary, F- 1 
FIDIVR (reverse divide), 
instruction. format and timing, E- 19 
instruction specification, 26-89 | 
numeric exception mee F- 1 
FILD (load integer), | 
condition code interpretation, 15- 4 
instruction format and timing, E-16 | 
instruction specification, 26-94 
numeric exception summary, F-1 
FIMUL (multiply), | 
instruction format and timing, E-18 | 
instruction specification, 26-109 
numeric exception summary, F-1 
FINCSTP (increment stack-top pointer), 
condition code interpretation, 15-4 
instruction format and timing, E-20 
instruction specification, 26-96 
numeric exception summary, F-1 
FINIT (initialize floating-point unit), 
condition code interpretation, 15-4 
instruction format and timing, E-19 . 
instruction specification, 26-97 
_ numeric exception summary, F-1 
FIST (store integer), | 
condition code interpretation, 15- 4 
instruction format and timing, E-16 : 
instruction specification, 26-99 © 
numeric exception swaMely, F-1 
FISTP (store integer), i 
instruction format and timing, E-16 — 
instruction specification, 26-99 | 
numeric exception summary, F- 1 
FISUB (subtract), 
instruction format and timing, E 18 
instruction specification, 26-138 — 
numeric exception summary, F-1 
FISUBR (reverse subtract), 
instruction format and timing, E- 18 
instruction specification, 26-140 
numeric exception summary, F-1. 
flag control instructions, and application 
poe ae 3-35 i 
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flat address space, memory organization 


model, 2-2, 2-3 
flat model, 
and segmentation, 5-3 
segment/page translation, 5-23 | 


flat model initialization, segmentation, 10-5 


FLD1 (load constant), 
instruction format and timing, E- 17 
instruction specification, 26-103 
numeric exception summary, F-1 
FLD (local real), 
condition code interpretation, 15-4 
instruction format and timing, E-16 
instruction specification, 26-101 
numeric exception summary, F-1 
FLDCW (load control word), 


condition code interpretation, 15-4 _ 


instruction format and timing, E-19 
instruction specification, 26-105 
numeric exception summary, F-1 
-FLDENV (load FPU environment), 
condition code interpretation, 15-4 
instruction format and timing, E-19- 
instruction specification, 26-107 
numeric exception summary, F-1 
FLDL2E (load constant), 
instruction format and timing, E-17 
instruction specification, 26-103 
numeric exception summary, F-1 
FLDL2T (load constant), 
instruction format and timing, E-17 
instruction specification, 26-103 
numeric exception summary, F-1 _ 
FLDLGz2 (load constant), 
instruction format and timing, Ed? 
instruction specification, 26-103 
numeric exception summary, F-1 
FLDLN2 (load constant), 
instruction format and timing, E-17 
instruction specification, 26-103 
numeric exception summary, F-1 
FLDPI (load constant), 
instruction format and timing, E-17 
instruction specification, 26-103 
numeric exception summary, F-1 
FLDZ (load constant), 
instruction format and timing, E-17 
instruction specification, 26-103 
numeric exception summary, F-1 
floating-point, data type, 2-6 7 
floating-point detection code, 3-42 
floating-point instructions, = =| 
comparison instructions, 17-4 | 
constant instructions, 17-6 
control instructions, 17-6 — 
data transfer instructions, 17-2 
destination operands, 17-1 
nontranscendental instructions, 17- 2 
_ source operands, 17-1 | 
transcendental instructions, 17- 4 


INDEX 


floating-point numerics configuration, 19-2 
floating-point numerics, instructions (system 
programming), 4- 9 
floating-point to ASCII conversion example, 
numeric programming, 20-7 
floating-point-error fault, Interrupt 16 
(floating-point error), 9-23 
FMUL (multiply), 
condition code interpretation, 15-4 
instruction format and timing, E-18 
instruction specification, 26-109 
numeric exception summary, F- ; 
FMULP (multiply), 
instruction format and timing, E- 18 
instruction specification, 26-109 
numeric exception summary, F-1 
FNCLEX (clear exceptions), instruction 
specification, 26-81 
FNINIT (initialize floating point unit), and 
FPU initialization, 19-2 
FNINIT (initialize floating-point unit), 
instruction specification, 26-97 
FNOP (no operation), 
instruction format and timing, E-20 
instruction specification, 26-111 | 
numeric exception summary, F-1 
FNSAVE (store FPU state), instruction 
specification, 26-123 7 
FNSTCW (store control word), instruction : 
specification, 26-133 
FNSTENV (store FPU environment), 
instruction specification, 26-134 
FNSTSW (store status word), instruction 
specification, 26-136 
forking, See copy-on-write strategy 
FPATAN (partial arctangent), 
condition code interpretation, 15-4 
instruction format and timing, E-19 
instruction specification, 26-112 
numeric exception summary, F-1 
FPREM1 (partial remainder), | 
condition code interpretation, 15-4 
instruction format and timing, E-19 
instruction specification, 26-116 
numeric exception summary, F-1 
FPREM (partial remainder), 
condition code interpretation, 15-4 
instruction format and timing, E-19 
instruction specification, 26-114 
numeric exception summary, F-1 


_ FPTAN (partial tangent), 


condition code interpretation, 15-4 
instruction format and timing; E-19 
instruction specification, 26-118 
numeric exception summary, F-1 

FPU control word, and numerical exception 

masking, 15-5 

FPU data formats, 
and other entities, 16-1 
and special numeric values, 16-1 
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FPU data type, 

binary integers, 15- Me 

decimal integers, 15-12 

real numbers, 15-12 } 
FPU register addressing modes, and 

ASM386/486 assembler, 15-1 

FPU register stack, and numeric registers, 15-1 
FPU status word, and Integer Unit; 15-2. 
FPU tag word, and numeric registers, 15-6 


instruction specification, 26-134 
numeric exception summary, F-2 
FSTP (store real), i 
condition code interpretation, 15 4 


instruction specification, 26-131 
numeric exception summary, F- 2 
FSTSW (store status word), : 


instruction format and timing, E-16 


FRNDINT (round to integer), 
condition code interpretation, 15-4 


instruction format and timing, E-19 | 


instruction specification, 26-120 
numeric exception summary, F-1 
FRSTOR (restore FPU state), 
condition code interpretation, 15-4 
instruction format and timing, E-20 
instruction specification, 26-121 
numeric exception ee F-1 
FS register, 
and application program, 2-12 | 
and data segment, 2-11 7 
segment register, 2-10 | 
FSAVE (store FPU state), 
condition code interpretation, 15- 4 
instruction format and timing, E-20 
___ Instruction specification, 26-123 
FSCALE (scale), 
condition code interpretation, 15- 4 


instruction format and timing, E-19. 


instruction specification, 26-125 
numeric exception summary, Raat 
FSIN (sine), 
condition code interpretation, 15- 4 
instruction format and timing, E-19 
instruction specification, 26-126 
numeric exception summary, F- 2 
FSINCOS (sine and cosine), - 
condition code interpretation, 15- * 


instruction format and timing, E-19 | 


instruction specification, 26-128 
numeric exception summary, F-2 » 
FSQRT (square root), 
condition code interpretation, 15- 4 
instruction format and timing, E-19 
instruction specification, 26-130 
numeric exception summary, F-2 
FST (store real), 


condition code interpretation, 15-4 


instruction format and timing, E-16 
instruction specification, 26-131 
numeric exception summary, F-2 
FSTCW (store control word), 
condition code interpretation, 15-4 
instruction format and timing, E-19 
instruction specification, 26-133 
numeric exception summary, F-2 . 
FSTENV (store FPU environment), 
condition code interpretation, 15-4. 


instruction format and timing, E-19 


condition code interpretation, 15-4 
instruction format and timing, E-19 
instruction specification, 26-136 
numeric exception summary, F-2- 
FSUB (subtract), 
condition code interpretation, 15-4 
instruction format and timing, E-17 
instruction specification, 26-138 
numeric exception summary, F-2_ 
FSUBP (subtract), 
instruction format and timing, E-17 
instruction specification, 26-138. 
numeric exception summary, F-2— 
FSUBPR (reverse subtract), | 
instruction format and timing, E- 8 
instruction specification, 26-140 
numeric exception summary, F-2 | 
FSUBR (reverse subtract), 3 
condition code interpretation, 15-4 


instruction format and timing, E-18 ._ 


instruction specification, 26-140 
numeric exception SumIMAly, E. 
FTST (test), . | 
condition code interpretation, 15 4 
instruction format and timing, E-17 
instruction specification, 26-142 
numeric exception summary, F-2 
FUCOM (unordered compare real), © 
condition code interpretation, 15-4 | 
instruction format and timing, E-17 
instruction specification, 26-144 
numeric exception summary, F-2 
FUCOMP (unordered compare real), 
condition code interpretation, 15-4 
instruction format and timing, E- 17 
instruction specification, 26-144 © 
numeric exception summary, F-2 — 
FUCOMPP (unordered compare real), 
condition code interpretation, 15-4 __ 
instruction format and timing, E-17 
instruction specification, 26-144 
numeric exception summary, F-2 
FWAIT (wait), 
instruction specification, 26-146 
numeric exception summary, F-2 
FXAM (examine real), 7 
condition code interpretation, 15- 4 
instruction format and timing, E-17 
instruction specification, 26-147 
numeric exception summary, F-2: 
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- FXCH (exchange register contents), 
condition code interpretation, 15-4 
instruction specification, 26-149 
numeric exception summary, F-2 

FXTRACT (extract exponent and significand), 
condition code interpretation, 15-4 
instruction format and timing, E-19 
instruction specification, 26-151 
numeric exception summary, F-2 

FYL2X (compute y x log2x), 
condition code interpretation, 15-4 
instruction format and timing, E-19 
instruction specification, 26-153 
numeric exception summary, F-2 

FYL2XP1 (compute y x log2 (x + 1)), 
condition code interpretation, 15-4 
instruction format and timing, E-19 
instruction specification, 26-155 

_ numeric exception summary, F-2 


G bit (granularity bit), and segment descriptor, 
6-4 | 


gate descriptors, and control transfers 
protection, 6-11 
GD (global debug), 11-4 
GDTR (global descriptor table register), 
descriptor table base registers, 5-16 
register description, 4-4 
general registers, 
and IMUL instruction, 3- 8 
and POPA instruction, 3-4 
and PUSHA instruction, 3-3 
as register operand, 2-19 
of Intel486 processor, 2-8 
general-detect fault, Interrupt 1 (debug 
exceptions), 9- 14, 11-8 | 
general-protection exception, 
and multi-segment model, 5-5 
and privilege levels, 6-5 
and protected flat model, 5-4 
global descriptor table (GDT), 
segment descriptor tables, 5-15 
segment translation, 5-5 | 
gradual underflow, and denormal vanes 16-4 
granularity bit, | 
and TSS descriptor, 7-4 
segment descriptors, 5-10 
GS register, 
and application program, 2-12 
and data segment, 2-11 
segment register, 2-10 


handler, for exceptions and interrupts, 9-1 
high word, for doubleword data type, 2-4 _ 
high-level languages, and FPU numeric 
| applications, 18-1 
HLT (halt), 
flag cross-reference, B-1 
instruction format and timing, E-11 
instruction specification, 26-157 
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instructions (system programming), 4-11. 
one-byte opcode map, A-4 
privileged instruction, 6-19 


Intel486 DX2 CPU, 1-1, 1-6 | 
Intel486 Floating Point Processor (FPU), 


applications, 14-4 

architecture, 15-1 

concurrent processing, 18-12 

data types and formats, 15-9 

history of, 14-1 

Intel486 processor, 14-1 

infinity operands, 16-8 
initialization, 19-2 

Intel387 DX emulation, 19-3. ~ 
NaN (not-a-number) operands, 16-8 
number system, 15-9 

numerics environment configuration, 19-2 
performance, 14-1 | 

precision control, 15-16 | 
programming interface, 14-5 _ 
rounding control, 15-15 

system programming, 19-1 
zero operands, 16-6 | 


Intel486 Integer Unit (IU), 


concurrent processing, 18-12 
operation with FPU, 14-2 ° 


Intel486 processor, 


control registers, 2-8, 4-5 

CPU_id code, 3-42 

debug registers, 4-8 

debugging facilities, 11-1 

external cache, 12-1 

features, 1-1 gate SO TIDIONs: 6-11 
general registers, 2-8 
initialization, 10-3 


Intel486 Floating Point Processor (FPU), 


I/O instructions, 8-4 
initialization, 10-1 
input/output, 8-1 


Internal cache, 12-1 


memory-management registers, 4-4 
mixing 16-bit and 32 bit code, 24-1 
multitasking mechanism, 7-1 | 
operating modes, 1-2 

operating status, 2-13 

real-address mode, 22-1 

segment registers, 2-8 

software emulation, 19-3 

status registers, 2-8 

system flags, 4-2 

system instructions, 4-9 

system registers, 4-1 

task linking, 7-11: 

task switching, 7-7 — 

test registers, 4-8 

virtual-8086 mode, 23-1 
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Intel487.SX CPU. 
CPU_id code, 3-42 
initialization, 10-3 
software emulation, 19- 3 
I/O address space, 
and IOPL flag, 4-3. 
and physical memory, 8- 2 
Intel486 processor, 8-1 
I/O instructions, 
and Intel486 processor, 8- 4 
and I/O privilege level, 8-6 : 
I/O operations, and sensitive instructions, 6- 19 
I/O permission bit map, and TSS es state 
segment), 8-7 
I/O port. for operand selection, 2-17 
I/O privilege level, 7 
and I/O instruction access, 8-6 
and IOPL flag, 4-3 
IDEC (decrement by one), modR/M byte 
opcodes, A-8 
IDIV (signed divide), 
flag cross-reference, B-1 
instruction description, 3-10 : 
instruction format and timing, E- 5 
instruction specification, 26-158 | 
modR/M byte opcodes, A-8 
IDT (interrupt descriptor table), 
exception/interrupt vectors, 9-5 : 
interrupt gates, 9-7 
LIDT (load IDT register), 9- r 
task gates, 9-7 
trap gates, 9-7 
types of, 9-7 
IDTR (interrupt seeabioe table ie. 
descriptor table base registers, 5-16 
register description, 4-5 
IEEE Standard 754, and une formats, 
16-13. 
IEEE Standard 854, 
and Intel486 Floating Point Processor. 
(FPU), 14-1 
and invalid arithmetic operation, 16-21. 
and standard underflow/overflow exception 
handler, 16-27 
IF flag (interrupt- -enable flag—bit 9), © 
mask INTR interrupts, 9-3 — 
system flag description, 4-3 IGNNE#, 
and NE control flag, 4-7 = 
and software exception handling, 16- 20 
immediate operand, instruction format, 2-16 
implicit operand, description of, 2-17 | 
implied load instructions, and segment 
registers, 5-7 
IMUL (signed multiply), 
flag cross-reference, B-1 » 
general description and flags, < 8 
instruction format and timing, E-5. 
instruction specification; 26-160: 
modR/M byte opcodes, A-8 
one-byte opcode map, A-5. 
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status flag summary,.C-2__ 
two-byte opcode map, A-7 
IN (input from port), 
flag cross-reference, B-1 | ya 
instruction format and timing, E-15 
instruction specification, 26-162 — 
one-byte opcode map, A-4, A-5 _ 
register I/O instructions, 8-5 
sensitive instructions, 8-6 
INC (increment by one), 
and CF flag, 3-6. . 
flag cross- -reference, B-1 
instruction description, 3-7 
instruction specification, 26- 164 
modR/M byte opcodes, A-8 
one-byte opcode map, A-4, A-5 
status flag summary, C-2 
inconsistent stack pointer, and page fault, 9. 23 
indefinite value, and numeric data type, 16- 12 
index component, | 
and segment selectors, 5-9 
for effective address, 2-21 
inexact exception, 
and inexact (precision), 16- 26 
and underflow exception, 16-26 | 
inexact result (precision), 
and inexact exception, 16- 26 
numeric exceptions, 16-18 | 3 
infinity operands, and Intel486 Floating Point 
Processor (FPU), 16- 8 : 
initialization, ; 
and Intel486 processor, 10-1 — 
Intel486 Floating Point Processor’ (FPU); 
19-2 
inner protection rings, and stack switching, — 
input port, and input/output, 8-1 
input/output, 
and Intel486 processor, 8-1 
instructions (system programming), 4- 9 
INS (input from port to string), | 
block I/O instructions, 8-5 
flag cross-reference, B-1 z es 
instruction format and timing, E- 15 a 
instruction specification, 26-165 | 
sensitive instructions, 8-6 
INSB (input from port to string), 
instruction specification, 26-165 | 
one-byte opcode map, A-4, A-5 __ 
INSD (input from port to string), © 
instruction specification, 26-165 
one-byte opcode map, A-4, A-5 
instruction, ihe 
and default segment selection,,2-19 
and operand selection, 2-17 
first initialization execution, 10-4 _ 
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instruction address breakpoint fault, Interrupt 
1 (debug exceptions), 9-14. 

instruction format, : 

addressing- -mode specifier, 2. 16 or 

and opcode, 2-16 | 

and prefix, 2-16 

and register specifier, 2- 16. 

displacement, 2-16 

for basic programming model, 2- 15. 

immediate operand, 2-16 

SIB (scale, index, base) lea 2- 16 
instruction prefetching, 

and EIP register, 2-15 

and exception generation, 2-15. | 

and parity checking, 2-15 

and PLOCK#, 13-1 

and pseudo- locking, 15- 4 
instruction restart, | 

and exceptions, 9- 2 

and interrupts, 9-2 

and paging, 5-2 | ne 
instruction-breakpoint fault, aac apt 1 

(debug exceptions), 11-6, | 

instructions, in. real-address mode, 2220 
instructions (application programming), 

binary arithmetic instructions,:3-6 |. 


block-structured language fac TrucHions: 3- 30. 


control transfer instructions, 3-23 . 
data movement instructions, 3-1 
data registers, 2-12 - 
decimal arithmetic instructions, 3- 10 
flag control instructions, 3-35. |. 
logical instructions, 3-11 . | 
miscellaneous instructions, 3-41. 
numeric instructions, 3-38 : | 
segment register instructions, 3- 39 
string operations, 3-27 
instructions: (operating system), 
privileged instructions, 6-19 
sensitive instructions, 6-19 
instructions (system programming), 
cache management, 4-9 
debugging, 4-9 | 
descriptor table addressing, . 10 
floating-pont numerics, 4-9 | 
HLT instruction, 4-11. 
input and output, 4-9 
interrupt control, 4-9 
LOCK instruction, 4-11; 
multitasking, 4-10 ... | Tine? 
pointer parameter. verification, 49. | 
system control, 4-9 Ls 
INSW (input from port to string), 
instruction specification, 26-165. . 
one-byte opcode map, A-4, A- - 
INT (call to interrupt procedure),, 
flag cross-reference;.B-1_ - 
for interrupt generation, 2- 24 
general description, 3-26 
instruction format and timing, E-13 
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instruction specification, 26-167. 
one-byte opcode map, A-5 | 
integer, data type description, 2- 6. 


_ integer instructions, overview of, 3-1 


Integer Unit, and FPU status word, 15-2 
Intel386 DX processor, : 
and data breakpoint matching, il 4 
and Interrupt 9 (Intel reserved), 9- a 
and MP control -flag, 4-7. 
processor differences, 21-4 . 
real-address mode, 22-1, 


. Intel386 DX processor programs, and Intel486 | 


processor, 21-1 


~. Intel387 DX coprocessor, 


and ET control flag, 4-7 
emulation and Intel486 Floating Point, 
Processor (FPU), 19-3 ©: 
Intel. 80186 processor,. real-address mode, 22-1 . 
Intel 80188 processor, real- seis mode, 22- 1 


_ Intel 286. processor, 


LMSW: instruction, .4- 1: 
MP control ‘flag, 4-7 © (tig oe Bae, 
‘processor differences,. 21- 2 
programs:and: Intel486. processor, 21 1 
protected mode, 21-1 7 
real-address mode, 22-1 
running tasks, 21-2 3 
segment descriptors, 21-1 
SMSW instruction, 4-11 >...... 
TSS compatibility, 7-2 

Intel 8086 processor, a 
real-address mode, 22-1 |; 
virtual-8086 mode, 4-3 

Intel 8087 pioersstt compatibility and B bit 

15-2, 


Intel 8088 processor, teal- address mode, 22- 4 
Intel 8259A Programmable Interrupt - 
Controller;:and interrupt vector, 9-1: 
Intel 860 processor, alignment- “check 
exception, 4-2 
internal cache, 
and cache lines, 12-2; ..: e 
and write- -through cache, 12-2 
Intel486 processor, 12-1. 
operation of, 12-25. 
self-modifying code, 12- a | | 
Interrupt 0 (divide error), divide- -eIror fault, 
9-14 


Interrupt 10 (invalid TSS), invalis-TSS fault, | 
9-17 
Interrupt 11 (segment not present), segment- 


not-present fault, 9-18.. 
Interrupt 12 (stack exception), stack fault, 9-19 


Interrupt 13 (general proteeon), protection | | 


violations, 9-2 
Interrupt 14 (page fault), page. fault, 9-21 
Interrupt 16 (floating-point error), floating- 
point-error fault, 9-23 - | 
Interrupt 17 (alignment. check), alignment: = 
check fault, 9-23° 
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Interrupt 1 (debug exceptions), 
data address breakpoint trap, 9-14 
data-breakpoint trap, 11-6 | 
general detect fault, 9-14 
general-detect fault, 11-8 
instruction address breakpoint fault; oe 14 
instruction-breakpoint fault, 11-6 — 
single-step trap, 9-14,11-8 © | 
task-switch breakpoint trap, 9- 14 
task-switch trap, 11-8 
Interrupt 3 (breakpoint), breakpoint trap, 
9-14,.11-9 
Interrupt 4 overflow), overflow trap, 9-15 
Interrupt 5 (bounds check), bounds-check 
fault, 9-15 
ene UP 6 ene opcode), invalid-opcode 
ault, 


Interrupt 7 (device not available), device- not- — 


‘available fault, 9-15 — 


Interrupt 8 ee fault), multiple faults, 9- 16. 


Interurpt 9 (Intel reserved), coprocessor- | 
segment overrun abort, 9-17 
interrupt acknowledge, automatic locking, 13-3 
interrupt control, instructions (ystem program 
ming), 4-9 
interrupt gates, 
and interrupts, 6-11 
IDT descriptors, 9-7 | 
interrupt procedures, 
and interrupt tasks, 9- va 
and stack, 9-9 
flag usage, 9-11 
protection, 9-11 
returning from; 9-9 . 
interrupt requests (INTR interrupts), and IF 
flag, 4-3 
interrupt tasks, 
and interrupt procedures, 9- 7 
and task gate, 9-11 
- interrupt vector, 
identifying number, 9-1 
software initialization, 10-3 
interrupts, 
and instruction restart, 9-2 
and interrupt gates, 6- 11 
and task switching, 7- 1. 
description, 2-23 
enable/disable, 9-3 
for basic programming model, 2-23 
in real-address mode, 22-2 
maskable source, 9-1 | 
processing priorities, 9-5 
unmaskable source, 9-1 | 
with INT instruction, 2-24 © 
INTO (interrupt on overflow), 
flag cross-reference, B-1 
general description, 3-26_ 
instruction format and timing, E-13 | 
instruction specification, 26-167: — 
—~one-byte opcode map, A-5 
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INTR interrupts, and IF flag, 9-3 invalid) «— 
arithmetic operation, and IEEE» 
Standard, 16-21, 854 

invalid operation, ! i 

and numeric exceptions, 16- 20 
numeric exceptions, 16-17 — os 
invalid-opcode fault, Interrupt 6 Gnyalld 
opcode), 9-15 | 
invalid-operation exception, 
and NaN (not-a-number) rer 16- 10 
and QNaN real indefinite, 16-11. 


> invalid-TSS fault, Interrupt 10 (invalid TSS), 


_ 9-17 
INVD (invalidate cache), a 
cache management instructions, 12. 3 
flag cross-reference, B-1 
instruction format and timing, E-11 
instruction specification, 26-172 
two-byte opcode map, A-7 . 
INVLPG (invalidate TLB entry), 
flag cross-reference, B-1 
instruction format and timing, Ee 11: 
instruction specification, 26-173 © 
IOPL flag hes privilege level — bits 12 te 
13), 


description, 4 3° 
system flag 
IRET (interrupt return), 
flag cross-reference, B-2 
general description, 3-24 © 
instruction format: and amines E-13 
instruction specification, 26-174 
one-byte opcode map, A-5- > 


~. TRETD (interrupt return), instruction 


Specitication: 26- 174 


JB, two-byte opcode map, A- 6" os 
Jb (short- displacement jump on condition), 
one-byte opcode map, Ae 4, as ore. 

one-byte opcode map, A- 40 
two-byte opcode map, A-6_— 

Jcc (jump if condition is met), 
flag cross-reference; B-2 
instruction format and timing, E- 7 ; 
instruction specification, 26- 179 | 
status flags, 3-7 


flag cross-reference, B-2 , 
instruction format and timing, E-7 
one-byte opcode map, A-4 
JECXZ (jump if ECX zero), © 
general description, 3-26 « — 7 
instruction format and timing, | oy 
JL, 
one-byte opcode map, A-4, AS | 
two-byte opcode ase A- fi f° Tas 


one- byte opcode map, A- 4, A 5 = 
two-byte opcode map, A-7 come 
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JLNE, one-byte opcode map, A-4 
JMP (jump), 
flag cross- -reference, B-2 
instruction: description, 3-23 
instruction format and timing, E-7, E-9 
instruction specification, 26-183 | 
modR/M byte opcodes, A-8 
one-byte opcode map, A-5 
JNB, | 
one-byte opcode map, A-4 
two-byte opcode map, A-6 
JNBE, 
one-byte opcode map, A-4 
two-byte opcode map, A-6 
one-byte opcode map, A-5 
two-byte opcode map, A- 7 
JNLE, 
one-byte opcode map, A-5 
two-byte opcode map, A-7 
JNO, ae : 
one-byte opcode map, A-4 
two-byte opcode map, A-6 
JNP, | 
one-byte opcode map, A-4, A-5 
two-byte opcode map, A-7 | 
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two-byte opcode map, A- of 
JINZ, 
one-byte opcode map, A- 4. 
two-byte opcode map, A-6 
JO, 7 | 
one-byte opcode map, A-4 
two-byte opcode map, A-6 
JP, | Hee. 4 
- one-byte opcode map, A-4, A-5. _ 
two-byte opcode map, A-7 © 
JS, 
one-byte opcode map, A-4, A-5 
two-byte opcode map, A-7) > 
JV, | 
one-byte opcode map, A-5 
two-byte opcode map, A-6, A-7 
Z, ae | | 
one-byte opcode map, A-4 
two-byte opcode map, A-6 


KEN#, and PCD bit (page-level cache 
disable), 12-4 3 


LAHF (load flags into AH), 
flag cross-reference, B-2 
instruction description, 3-37 
instruction format and timing, E-10 
instruction specification, 26-188 | 
one-byte opcode map, A-5 — 

LAR (load access rights byte), 
flag cross-reference, B-2 
instruction format and timing, E-12 


one-byte opcode map, A-4,A-5 | 
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instruction specification, 26-189 
pointer validation instructions, 6-20 
two-byte opcode map, A-6 
LDS (load pointer using DS), 
flag cross-reference; B-2 
general description, 3-40 
instruction format.and timing, E-8 
instruction specification, 26-196 
one-byte opcode map, A-4 
LDT switching, and task switching, 7-1 
LDTR (local descriptor table register), | 
register description, 4-4 
LEA (load effective address), 
flag cross-reference, B-2 
general description, 3-46 
instruction format and timing, E-3 
instruction specification, 26-191 
one-byte opcode map, A-4, A-5 
LEAVE (high level procedure exit), 
flag cross-reference, B-2 
general description, 3-35 
instruction format and timing, E-8: 
instruction specification, 26-193 
one-byte opcode map, A-5 a 
LEN bits, and debug breakpoints, 11-5 
LES (load pointer using ES), 
flag cross-reference, B-2 _ 
general description, 3-40 
instruction format and timing, E-8 
instruction specification, 26-196 © 
one-byte opcode ay A-4 
lexical level, 
and block-structured Janguages, 3-32 
and ENTER instruction, 3-30 
LFS (load pointer using FS), = 
flag cross-reference, B-2 
general description, 3-40 : 
instruction format and timing, E-8 | 
instruction specification, 26-196 - 
two-byte opcode map, A-6— 
LGDT (load global/IDTR), 
flag cross-reference, B-2 
instruction format and timing, E- 12 
instruction specification, 26-194 
modR/M byte opcodes, A-8 . 
privileged instruction, 6-19 
_ LGS (load pointer using GS), | 
flag cross-reference, B-2 
general description, 3-41 
instruction format and timing, E-8 
instruction specification, 26-196 
two-byte opcode map, A-6 
‘LIDT (load IDT register), 


and IDT (interrupt descriptor able), 9-7 


flag cross-reference, B-2 
instruction format and timing, E-12. 
instruction specification, 26-194 — 
modR/M byte opcodes, A-8 | 
privileged instruction, 6-19 
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limit, and segment descriptors, 5-10... 
limit checking, segment GesCEIDLOrs) 6- a 
linear address, 
and logical address, 2-1 
and page translation, 5-17, 5- 18 rz 
_ and physical space mapping, 7- 13 
and segment translation, 5-5. 
and segmentation, 2-2, 5-2 


and task address mapping, See | 


LLDT (load LDTR), | 
flag cross-reference, B-2. 
instruction format and timing, E-12 
instruction specification, -26-199 
modR/M byte opcodes, A-8 
privileged instruction, 6-19 
LMSW (load machine status word), 
flag cross-reference, B-2 
instruction format and timing, E- 12 
instruction specification, 26-201 - 
Intel 286 processor, 4-11 : 
modR/M byte opcodes, A-8 
privileged instruction, 6-19 
local descriptor table (LDT), 
segment descriptor tables, 5-15. 
segment translation, Syne . y 
LOCK#, | 
and automatic locking, 13- ce 


and LOCK instruction, 4-11 _ 
and LOCK prefix, 13- 2 
LOCK (assert LOCK# prefix), 


and critical memory operations, 13- 1 -_ 


and CMPXCHG instruction, 3-43 


and XADD instruction, 3- 43 

and XCHG instruction, 3-2 

flag cross-reference, B- me 

instruction specification, 26-202 — 

one-byte opcode map, A- . 
LOCK instruction, 

and LOCK#, 4-11” 


instructions (system programming), a 11 


LOCK prefix, and LOCK#, 13-2 


locked bus cycles, and multiprocessing, 13- a 


LODS (load string opetand), » 
flag cross-reference, B-2 — 
general description, 3-30 : 
instruction format and timing, E-9 
instruction specification, 26-204 
LODSB (load string operand), 
instrucion specification, 26-204 
one-byte opcode map, A-4, A-5 . 
LODSD (load string operand), . — 
instrucion specification, 26-204 © 
one-byte opcode map, A-4, A-5 
LODSW (load string operand), - | 
instruction specification, 26-204 
one-byte opcode map, A-4, A-5 
logical address, 
and segment translation, 2- m 5- 5. 
and segmentation, 5-2 
task address mapping, 7-14 
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use of, 2-1 | 
logical instructions, and application 
programming, 3-11. 


long integer, numeric data type, 3-38, 14- 6 


LOOP (loop control with CX counter), 
flag cross-reference, B-2 
general description, 3-25 
instruction format and timing, E-7 
instruction specification, 26-206 
one-byte opcode map, A-4 
LOOPE (loop while equal), 
flag cross-reference, B-2 
general description, 3-26 
instruction format and timing, E-7 
one-byte opcode map, A-4 
LOOPNE (loop while not equal), 
flag cross-reference, B-2 — 

_ general description, 3-26 
instruction format and timing, EP 7 
one-byte opcode map, A-4 ) 

LOOPNZ (loop while not zero), 
general description, 3-26 
instruction format and timing, E-7 


LOOPZ (loop while zero), 


general description, 3-26 3 
instruction format and-timing, E-7 
low word, for doubleword data type, 2-4 
LSL (load segment limit), 
flag cross-reference, B-2 
instruction format and timing, E-12 
instruction specification, 26-208 
pointer validation instructions, 6-20. 
two-byte opcode map, A-6 | 
LSS (load pointer using SS), 
flag cross-reference, B-2 » 
general description, 3-41 
Instruction format and timing, E-8 
instruction specification, 26-196 
two-byte opcode map, A-6 
LTR (load task register), 
and task register description, 7: 6 
flag cross-reference, B-2 
instruction format and timing, E-12 © 
instruction specification, 26-210 
modR/M byte opcodes, A-8 
privileged instruction, 6-19 


M/IO#, 
and I/O address space, 8-2 — 
and I/O instructions, 8-4 — : 
maskable interrupts, and vector assignment, 
memory, 
access types, 2-10 nel? fe 
for operand selection, 2. 17 
model choice, 2-2. | 
model description, 2. 
memory management, 
and page translation, 5- V7: 
and paging, 2-1, 5-1. 
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and segment registers, 5-6 
and segmentation, 2-1, 5-1 
and segments, 2-1 
description of, 2-1 
memory operand offset, and modR/M byte, 


memory reference types, and segment 
registers, 5-7 
memory-management registers, 
and system programming, 4-4 | 
caste (global descriptor table register), 
-4 


IDTR (interrupt descriptor table register), 


LDTR (local descriptor table register), 4-4 
TR (task register), 4-5 
memory-mapped I/O, and physical memory, 
8-3 


miscellaneous instructions, and application 
| programming, 3-41 
mixing 16-bit and 32-bit code, Intel486 
processor, 24-1 
mode bits, and EFLAGS register, 2-13 
modR/M byte, 
and effective-address computation, 2-20 
for memory operand offset, 2-19 
MOV (move data), . 
and default segment selection, 2-19 
flag cross-reference, B-2 
instruction description, 3-1 
instruction format and timing, E-3, E-8, 
instruction specification, 26-211, 26-213 
mask exceptions and interrupts, 9-4 
one-byte opcode map, A-4, A-5 
two-byte opcode map, A-6 
MOV to/from CRO (move to control register 
0), privileged instruction, 6-19 


MOV to/from DRn (move to debug register 


n), privileged instruction, 6-19 

MOV to/from TRn (move to test register n), 
privileged instruction, 6- 19 

MOVB (move data), one- byte opcode map, 
A-4 


MOVS (move data from string to string), 
flag cross-reference, B-2 
general description, 3-29 
instruction format and timing, E-9 
instruction specification, 26-215 

MOVSB (move data from string to string), 
instruction specification, 26-215 
one-byte opcode map, A-4 ~ 

MOVSD (move data from string to string), 
instruction specification, 26-215 
one-byte opcode map, A-4 

MOVSW (move data from string to string), 
instruction specification, 26-215 
one-byte opcode map, A-4 
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MOVSX (move with sign extension), 
flag cross-reference, B-2 
general description, 3-6 
instruction format and timing, E-3 
instruction specification, 26-217 
two-byte opcode map, A-7 
MOVZX (move with zero extension), 
flag cross-reference, B-2 
general description, 3-6 
instruction format and timing, E-3 
instruction specification, 26-218 
two-byte opcode map, A-6 
MP bit (monitor coprocessor), numerics 
environment configuration, 19-2 
MP (math present —bit 1), system control flag, 
4-7 


MUL (unsigned multiply), 
flag cross-reference, B-2 
general description and flags, 3-8 
instruction format and timing, E-4 
instruction specification, 26-219 
modR/M byte opcodes, A-8 
status flag summary, C-2 
multi-segment model, . 
and general-protection exception, 5-5 
and segmentation, 5-4 __ 
multi-segment model initialization, segmenta 
tion, 10-5 
multiple faults, Interrupt 8 (double fault), 9-16 
multiprocessor systems, ‘ 
and cache consistency, 12- 1 
and cache consistency, 13-1 
and processor communication, 13- 1 
multitasking, 
and Intel486 processor, 7-1 
and task initialization, 10-6 | 
instructions (system programming), 4-10 
segment-level protection, 6-1 


NaN (not-a-number) operands, 
and Intel486 Floating Point Processor 
(FPU), 16-8 
and invalid-operation exception, 16-10 
NE bit (numeric exception), 
numerics environment configuration, 19-2 
_ system control flag, 4-7 
near form, RET (return from procedure), 6-17 
near pointer, data type, 2-6 
near transfer, and unconditional transfer ; 
instructions, 3-23 | 
NEG (two’s complement negation), 
flag cross-reference, B-2 
instruction description, 3-8 
instruction specification, 26-221 
modR/M byte opcodes, A-8 
status flag summary, C-2 — 
NMI interrupt, 
and assigned vector, 9-1 
and protected mode initialization, 10-4 
and software initialization, 10-3 
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mask further NMI interrupts, 9-3 
no-wait, control instructions, 17-8 | 
nontranscendental instructions, floating- pom 

instructions, 17-2 | 
NOP (no operation), 

flag cross-reference, B-2 

instruction description, 3-46 | 

instruction format and timing,.E-6 

instruction specification, 26-222 
NOT (one’s complement negation), 

flag cross-reference, B-2 | 

instruction description, 3-11 

instruction specification, 26-223 

modR/M byte opcodes, A-8 | | 
NT flag (nested task—bit 14), system flag 

description, 4-3 
null error code, and exception handler, 9-13 
number system, Intel486 Floating Point — 
Processor (FPU), 15-9 _ 
numeric data pointers, and exception handlers, 
numeric data type, 

and indefinite value, 16-12 

double real, 14-6 

encoding of, 16-12 

extended real, 14-6 © 

long integer, 14-6 | 

packed decimal, 14-6 _ 

~ short integer, 14-6 

single real, 14-6 

word integer, 14-6 oe 
numeric data types, Intel486 ene Point. 

Processor (FPU), 14-6 
numeric exceptions, 

denormalized operand, 16-17 

divide-by-zero, 16-17 

handling of, 16-18, 19-3 

inexact result (precision), 16-18 

invalid operation, 16-17. | 

numeric overflow, 16-17 

numeric underflow, 16-18 
numeric instruction pointers, and excepuon 

handlers, 15-7. | 
numeric instructions, 

and application programming, 3-38 

Intel486 Floating Point Processor (ores 

14-7 


numeric libraries, and FPU numeric 
applications, 18- : 
numeric overflow, . 
and overflow exception, 16-23 
numeric exceptions, 16-17 
numeric programming, 
— ASM386/486 examples, 20-1 
conditional branching example, 20-1 
exception handling example, 20-1. _ 
floating-point to ASCII conversion | 
example, 20-7: 
trigonometric calculation, 20-7 
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numeric underflow, 
and underflow exception, 16-25 
numeric exceptions, 16-18 
numerical exception masking, and FPU control 
word, 15-5 
numerical registers, Intel486 Floating Point 
Processor (FPU), 15-1 | 
numerics detection code, 3-42 
numerics environment configuration, Intel486 | 
Floating Point Processor (FPU), 19-2 
NW (not write-through — bit 29), system 
control flag, 4-6 


O/U# bit, stack exception, 16-20 
OF flag, and binary arithmetic instructions, 3-6 
OF (overflow flag), status flag, 2-14 | 
offset, 

for memory operand, 2-19 

for segmented address space, 2-3 
opcode, and instruction format, 2-16 | 
operand selection, for basic programming | 

model, 2- 17 

operand size, of instruction prefix, 16:3 7 
operand size prefix, instruction format, 2-16 © 
operating modes, of Intel486 processor, 1-2 
operating status, Intel486 processor, 2-13 
OR (logical inclusive or), 3 

flag cross- -reference, B-2 

instruction description, 3-12 — 

instruction specification, 26-224 

modR/M byte opcodes, A-8 

one-byte opcode map, A-4, A-5 

status flag summary, C-2. 
ordinal, data type, 2-6_ 
OUT (output to port), 

flag cross-reference, B-2 rn 

instruction format and timing, E-15 

instruction specification, 26-226 

one-byte opcode map, A-4, A-5 

register I/O instructions, 8-5 

sensitive instructions, 8-6 
output port, and input/output, 8-1. 
OUTS (output string), sensitive instructions, 


OUTS (output string to port), 
block I/O instructions, 8-6 
flag cross-reference, B-2 
instruction format and timing, E- 15 
instruction specification, 26-228. 
OUTSB (output string to port), 
instruction specification, 26-228 
one-byte opcode map, A-4, A-5 
OUTSD (output string to port), 
instruction specification, 26-228 
one-byte opcode map, A-4, A-5 
OUTSW (output string to port), 
instruction specification, 26-228 - 
one-byte opcode map, A-4, A-5 _ 
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overflow exception, 
and Intel486 processor, 2-23 
and numeric overflow, 16-23 
overflow trap, Interrupt 4 (overflow), 9-15 


packed BCD, data type, 2-6 
packed decimal, numeric data type, 14-6 
page, combining protection with segment, 6-25 
page directory, and page translation, 5-17 
page directory register (PDBR), 

and CR3 | 


and CR3 register, 5-18 
page directory update, automatic locking, 13-3 
page fault, 

and Interrupt 8 (double fault), 9-16 

and page table entries, 5-20 

and page translation, 5-17 

during task switching, 9-22 

Interrupt 14 (page fault), 9-21 

page frame address, 

with inconsistent stack pointer, 9-23 
page level management, caching, 12-3 
page protection, overriding, 6-24 
page table update, automatic locking, 13-3 
page tables, 

and combined protection, 6-24 

and page translation, 5-17, 5-18, 5-20 

and protection parameters, 6- 23 
page translation, 

and memory management, 5-17 

and physical address, 5-17 

and segment translation, 5-23 

linear address, 5-17 
paging 

and I/O address space, 8-1 

and linear address space, 2-2. 

and memory management, 2-1, 5-1 

and page-level protection, 6- 22 

and PG bit, 5-18 

demand-paged virtual memory, 5-2 

description, 5-2 

exception handling, 2-24 

initialization, 10-6 
parity checking, and instruction prefetching, 


PCD bit (page-level cache disable), 
cache control, 5-22 
cache management bits, 12-4 
system control flag, 4-6 
PE (protection enable —bit 0), 
and protected mode initialization, 10-4 
system control flag, 4-8 
PF (parity flag), status flag, 2-14 
PG (paging —bit 31), 
system control flag, 4-6 
to enable paging, 5-18 
physical address, 
description, 2-1 
and linear address, 2-1 
and page translation, 5-17 
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and PG bit, 5-18 
and segmentation, 5-2 
physical memory, 
and I/O address space, 8-2 
and memory-mapped I/O, 8-3 
description, 2-1 
PL/M-386/486, and FPU numeric applications, 
18-2 
PLOCK#, 
and instruction prefetching, 13-1 
and pseudo-locking, 13-3 
PMUL, one-byte opcode map, A-4 
pointer integrity, 
and ARPL (adjust requested privilege 
level), 6-22 3 
and RPL (requested privilege level), 6- 22. 
pointer parameter verification, instructions 
(system programming), 4-9 
pointer validation instructions, — 
and protection, 6-20 : 
LAR (load access rights), 6-20 
LSL (load segment limit), 6- 20 
POP (pop word from stack), 
flag cross-reference, B-2. 
general description, 3-3 
_ instruction format and timing, E-3, E-8 
instruction specification, 26-231 
mask exceptions and interrupts, 9-4 
one-byte opcode map, A-4, A-5 — 
two-byte opcode map, A-6, A-7 
POPA (pop all general registers), 
flag cross-reference, B-2. 
general description, 3-4 
instruction format and timing, E-3- 
instruction specification, 26-234 
one-byte opcode map, A-4 | 
POPAD (pop all general registers), i instruction 
specification, 26-234 
POPF (pop stack into flags), 
flag cross-reference, B-2 
instruction description, 3-38 
instruction format and timing, E-10 
instruction specification, 26-236 
one-byte opcode map, A-4, A-5 
POPFD (pop stack into flags), instruction 
specification, 26-236 
position-independent code, and segmentation, 
power-up, 
and RESET signal, 10-1 
and self test, 10-1 
precision control, eae eens Point 
Processor (FPU), 1 
prefix, and instruction format, 2-16 
present bit, 
and page table entries, 5- 20 
and TSS descriptor, 7-4 
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privilege levels, segment descriptors, 6- 5 
privileged instruction, 
CLTS (clear task- switched flag), 6- 19 
HLT (halt processor), 6-19 
LGDT (load GDT register), 6-19 
LIDT (load IDT register), 6-19 
LLDT (load LDT register), 6-19. . 
LMSW (load machine status word), 6- i 
LTR (load task register), 6-19 | 
MOV to/from CRO (move to control 
register 0), 6-19 


MOV to/from DRn (move to debug Pe BISter 
, 6-19 


n 
MOV to/from TRn. (move to test register 
, n), 6-19 ) 
procedure return, and gate descriptors, 6-17 
process synchronization, and XCHG 
instruction, 3-2 
processor communication, and multiprocessing 
systems, 13-1 
processor detection code, to distinguish 
processors, 22-11 © 
processor state, - 
after reset, 10-1 | 
and TSS (task state Seay 7-2 
programmed exceptions, software interrupts, — 
protected flat model, and segmentation, O- a 
protected mode, 
Intel486 operating mode, 1-2 
initialization switching, 10- -4 
Intel 286 processor, 21-1 
software initialization, 10- 5 
protection, a 
and control transfer restrictions, 6-9 
and data access restrictions, 6-7 
and gate descriptors, 6-11 
and input/output, 8-6 | | 
and pointer validation instructions, 6-20 
and segment descriptors, 6-2 — | 
page-level protection, 6-22 
-  segment-level protection, 6-1 
protection mechanism, 
and IOPL flag, 4-3 | 
and memory organization. model, 2- ad 
and privilege levels, 6-5 | 
and read-only acces, 6-24 
read/write access, 6- 24 


protection parameters, and page- -table entries, = 


protection violations, Interrupt 13 (general 
protection), 9- 20 | 

pseudo-locking, 

and instruction prefetching, 13- 4 

and multiprocessing, 13-1 

and PLOCK#, 13-3 _ 
pseudodenormal numbers, | 

and Intel486 processor, 16-13 

denormal exception, 16-13. 
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PUSH (push operand onto stack), 
flag cross-reference, B-2 _ 
instruction description, 3-2 
instruction format and timing, E-3, E-8 
instruction specification, 26-237 | 
modR/M byte opcodes, A-8 | 
one-byte opcode map, A-4, A-5 
two-byte opcode map, A-6, A-7 

PUSHA (push all general registers), 
flag cross-reference, B-2 
general description, 3-3 | 
instruction format and timing, E-3 
instruction specification, 26-239 _ 
one-byte opcode map, A-4 

PUSHAD (push all general registers), 

instruction specification, 26-239 . 


| PUSHF (push flags onto stack), 


flag cross-reference, B-2 

instruction description, 3-38 — 
instruction format and timing, E-10° 
instruction specification, 26-241 
one-byte opcode map, A-4, A-5 


PUSHFD (push flags onto stack), instruction : 


specification, 26-241 
PWT bit (page-level write- through), 
cache control, 5-22 7 
cache management bits, 12-4 
system control flag, 4-6 ©. | 


| ONaN real indefinite, 


and invalid operation exception 16- 11 - 

and quiet NaN (not-a-number), 16-11" 
quadwords, description, 3-4 mh 
quiet NaN (not-a-numbér), and QNaN real 

~ indefinite, 16-11 


RCL (rotate through carry left), 
flag cross-reference, B-2.. 
instruction description, 3- 16 
instruction specification, 26- 242 
modR/M byte opcodes, A-8 
status flag summary, C-2 ~~ 

RCR (rotate through carry right), 
flag cross-reference, B-2 
instruction description, 3-16 — 
instruction specification, 26-242 | 
modR/M byte opcodes, A-8 
status flag summary, C-2. 

re-entrant code, and tasks, 73 

re-entrant procedure, description, Tels ec. - 

re-entrant task switching, and busy. bit, 7- 12 


read access, and accessed bit, 5-21 


read-only access, and protccron: mechanism, 


read/write access, protection’ miéchaniaint e 240 
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read/write bit, and page table entries, 5-22 
readable bit, executable-segment descriptor, 
real numbers, FPU data type, 15-12 
real-address mode, 

address translation, 22-1 
entering and leaving, 22-4 
Intel486 operating mode, 1-2 
Intel486 processor, 22-1 
Intel386 DX processor, 22-1 
Intel386 DX processor differences, 22-9 
Intel 80186 processor, 22-1 
Intel 80188 processor, 22-1 
Intel 286 processor, 22-1 
Intel 286-processor differences, 22-9 
Intel 8086 processor, -22-1 
Intel 8086 processor-differences, 22-5 
Intel 8088 processor, 22-1 
software initialization, 10-2 
switch to protected mode, 22-4 » 
records and structure declaratives, 
ASM386/486, 18-4 — 
register I/O instructions, | 
IN (input from port), 8-5 
OUT (output from port), 8-5 
register specifier, instruction format, 2-16 
registers, 
and real-address mode, 22-2 
for application programming, 2-8 
for operand selection, 2-17 
for system programming, 4-1 
relative address, and JMP instruction, 3-23 
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REPNE CMPS (compare strings), instruction 
format and timing, E-10 . 
REPNE (repeat while not equal), 
instruction description, 3-28 
instruction specification, 26-245 
one-byte opcode map, A-4 — 
REPNE SCAS, instruction format and timing, 
E-10 
REPNZ (repeat while not zero), 
instruction description, 3-28 
instruction specification, . 26-245 
REPZ (repeat while zero), 
instruction description, 3-28 
instruction specification, 26-245 
requester privilege level, segment selectors, 5-9 
reset, and processor state, 10-1 
reset initialization, and RESET signal, 10-1 
RESET signal, and reset initialization, 10-1 
RET (return from procedure), a 
far form description, 6-17. 
general description, 3-24 | 
instruction format and timing, E- ‘Pp oe 8 
instruction specification, 26-248 
near form description, 6-17 
one-byte opcode map, A-4, A-5 
RF flag (resume flag), 
debugging support,.11-1 
mask debug faults, 9-4 
system flag description, 4-3 
robot arm kinemetics, example, 20- 23, 
ROL (rotate left), 
flag cross-reference, B-2 _ 


REP INS, instruction format and timing, E-15 instruction description, 3-16 


REP LODS, instruction format and timing, 
E-10 
REP MOVS, instruction format and timing, 
E-10 
REP OUTS, instruction format and timing, 
REP prefix, and MOVS instruction, 3-29 
REP (repeat), 
instruction description, 3-28 
instruction specification, 26-245 
one-byte opcode map, A-4 
REP STOS, instruction format and timing, 
~ E-10 
REPE CMPS, instruction format and timing, 
REPE (repeat while equal), 
instruction description, 3-28 | 
instruction specification, 26-245 
one-byte opcode map, A-4 
REPE SCAS, instruction format and timing, 
E-10 
repeat, instruction prefix, 2-16 
repeat prefix, instruction format, 2-16 


instruction specification, 26-242 
modR/M byte opcodes, A-8 
status flag summary, C-2 
ROR (rotate right), 
flag cross-reference, B-2 
instruction description, 3-16 
instruction specification, 26-242 
modR/M byte opcodes, A-8 _ 
status flag summary, C-2 
round-off errors, and nah Floating Point 
Processor (FPU), 1 
rounding control, es exes Point 
Processor (FPU), 15-15 
RPL (requested privilege level), 
and data access restrictions, 6-7 
and pointer integrity, 6-22 
and segment selectors, 6-6 


S bit, segment descriptors, 5-12 

SAHF (store AH into flags), 
instruction description, 3-37 
instruction format and timing, E-10 
instruction specification, 26-252 
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_ .one-byte opcode map, A-4, A-5 

SAL (shift arithmetic left), 
instruction description, 3-13 
instruction specification, 26-253 
status flag summary, C-2 

SAR (shift arithmetic right), 

_ Instruction description, 3-14 
instruction specification, 26-253 
modR/M byte opcodes, A-8 
status flag summary, C-2 - 


SBB (integer subtraction with borrow), 


flag cross-reference, B-2 
instruction description, 3-7 
instruction specification, 26- 256 
modR/M byte opcodes, A-8 


one-byte opcode map, A-4, A-5 _ 


status flag summary, C-1 
SCAS (compare string data), 
flag cross-reference, B-2 


instruction format and timing, E-9 


instruction specification, 26-258 
Status flag summary, C-2. 


SCAS (scan string data), instruction | 


description, 3-29 » 
SCASB (compare string data), 


instruction specification, 26-258. 
one-byte opcode map, A-4, A-5 


SCASD (compare string data), 


instruction specification,.26-258 
one-byte opcode map, A- 4, A-5 


SCASW (scan string data), » 
instruction specification, 26-258 


one-byte opcode map, A-4, A-5— 


segment, description, 5-1 
segment descriptors, 
and base, 5-10 7 
and flat model, 5-3 
and granularity bit, 5-10 
and Intel 80286 processor, 21-1 
and limit, 5-10 


and logical address translation, 2-2 


and protection, 6-2 — 
and S bit, 5-12 


and segment selectors, 5-10, 5-8 - 


~and segment translation, 5-5 


and segment-present bit, 5-14 


and type, 5-12 

and type field, 5-13 
automatic locking, 13-3 
code segments, 5-13 _ 

D bit, 5-12 

data segments, 5-13 


descriptor table base registers, 5-16 
DPL (descriptor privilege level), 5-14, 6-6 


segment descriptor tables, 5-15 
segment level protection, | 

and PE control flag, 4-8 

segmentation, 6-1 
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segment limits, and protected flat model, 5-4 
segment override prefix, instruction format, 
segment privilege level, DPL (descriptor , 
privilege level), 5-14 | 
segment register instructions, and application 
programming, 3-39 | 
segment registers, 
and segment selectors, 2. 10 
and segment translation, 5-6 
as register operand, 2-19 | 
of Intel486 processor, 2-8 
segment selectors, 
and index, 5-9 
and requester privilege level, 5-9 
and RPL (requested privilege level), 6-6 
and segment descriptors, 5-10 
and segment registers, 2-10 
and segment translation, 5-8 
and table indicator bit, 5-9. 
for segmented address space, 2-3 
segment translation, , 
and page translation, 5-23 
and segment selectors, 5-8: 
and segmentation, 5-5 © | 
segment-not-present fault,. Interrupt 1 
(segment not present), 9-18. 
segment-present bit, segment descriptors, 5-14 
segmentation, 
and combined protection with page, 6-25 
and default assignment, 2-19 
and default selection, 2-20 
and exceptions handling, 2-24 
and explicit memory operands, 2- 19 
and flat model, 5-3 | 
and flat model initialization, 10- 5 
and I/O address space, 8-1 
and instruction prefix override, 2-16 
and linear address, 5-2 
and logical address, 5-2 
_and memory management, 2-1, 5-1 _ 
and memory organization model, 2-2, 2-3 
and model selection, 5-3 | 
and multi-segment model, 5-4 
and multi-segmented model initialization, 


and override prefix for segment selection, 


and physical address, 5-2. 

and position-independent code, 5-1 

and protected flat model, 5-4 

and segment translation, 5-5 

and segment-level protection, 6-1 _ 
self test, and power-up, 10-1 
self-modifying code, internal cache, 12¢ J 
semaphores, | 

and CMPXCHG instruction, 3-43 

and LOCK prefix, 13-2 

and XCHG instruction, 3-2 
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sensitive instructions, 
and I/O operations, 6-19 
CLI (clear interrupt- enable flag), 8-6 
IN (input), 8-6 
INS (input string), 8-6 
OUT (output), 8-6 
OUTS (output string), 8-6 
STI (set interrupt-enable flag), 8-6 
SETB, two-byte opcode map, A-6 
SETBE, two-byte opcode map, A-6 
SETcc (byte set on condition), 
and status flags, 3-7 
flag cross-reference, B-2 
general description, 3-22 
instruction format and timing, E-7 
instruction specification, 26-260 
SETL, two-byte opcode map, A-7 
SETLE, two-byte opcode map, A-7 
SETNB, two-byte opcode map, A-6 
SETNBE, two-byte opcode map, A-6 
SETNL, two-byte opcode map, A-7 
SETNLE, two-byte opcode map, A-7 
SETNO, two-byte opcode map, A-6 
SETNP, two-byte opcode map, A-7 
SETNS, two-byte opcode map, A-7° — 
SETNZ, two-byte opcode map, A-6 
SETO, two-byte opcode map, A-6 
SETP, two-byte opcode map, A-7 
SETS, two-byte opcode map, A-7 
SETZ, two-byte opcode map, A-6 
SF flag, and binary arithmetic instructions, 3-6 
SF (sign flag), status flag, 2-14 
SGDT (store global/IDTR), 
flag cross-reference, B-2 
instruction format and timing, E-12 
instruction specification, 26-262 
modR/M byte opcodes, A-8 . 
sharing data, using 16-bit and 32-bit 
environments, 24-3 
SHL (shift left), 
instruction description, 3-13 
instruction specification, 26-253 
modR/M byte opcodes, A-8 
SHLD (shift left double piccrion);. 
flag cross-reference, B-2__. 
instruction description, 3-16 
instruction specification, 26-264 
status flag summary, C-2 
two-byte opcode map, A-6 
short integer, numeric data type, 14-6 
SHR (shift right), 
_ instruction description, 3-13 
instruction specification, 26-253 © 
| modR/M byte opcodes, A-8 
SHRD (shift right double precision), 
flag cross-reference, B-2 
instruction description, 3-16 
instruction specification, 26-266 
status flag summary, C-2 
two-byte opcode map, A-7 
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SIB (scale/index/base byte), instruction format, 
6 


SIDT (store global/IDTR), 
flag cross-reference, B-2 
instruction format and timing, E-12 
instruction specification, 26-262 
modR/M byte opcodes, A-8 

sign extension, description, 3-4 

single real, numeric data type, 14-6 


‘single-step trap, Interrupt 1 (debug 


exceptions), 9-14, 11-8 
size limit, and segment descriptor, 2-2 
SLDT (store LDTR), 
flag cross-reference, B-2 
instruction format and timing, E-12 
instruction specification, 26-268 
modR/M byte opcodes, A-8 
SMSW instruction, and Intel 286 proce sseh, 


SMSW (store machine status word), 
flag cross-reference, B-2 
instruction format and timing, E-12 
instruction specification, 26-269 
modR/M byte opcodes, A-8 
software exception handling, numeric 
exceptions, 16-18 = 
software initialization, a 
and real-address mode, 10-2 © 
in protected mode, 10-5 
software interrupts, programmed exceptions, _ 
source operands, 
floating-point instructions, 17-1 
for binary arithmentic instructions, 3-6 
for two-operand instructions, 2-17 
spawning, See copy-on-write strategy 
peae numeric values, FPU data formats, 
SS register, » 
and stack segment, 2-11 
segment register, 2-10 
stack, and interrupt procedures, 9-9 
stack exception, numeric exceptions, 16-20 
stack fault, Interrupt 12 (stack exception), 9-19 
stack frame, description of, 3-30 
stack frame pointer set, display, 3-30 
stack operations, and default segment 
selection, 2-19 | 
stack overflow, stack exception, 16-20 
Stack Pointer (ESP) Register, description of, 
2-12 | 


stack segment, and SS register, 2-11 
Stack Segment (SS) Register, description of, 
2-12 | | | 
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stack switching, and gate descriptors, 6-13 
stack underflow, stack exception, 16-20 
Stack-Frame Base Pointer EBP) Register, 
description of,’ 2-13 
standard underflow/overflow. exception 
handler, and IEEE Standard, 16-27 
status flags, 
and Jcc instruction, 3-7 
and SETcc instruction, 3-7 
status registers, of Intel486 processor, 2-8 
STC (set carry flag), . 4 
flag cross-reference, B-2. 
instruction format and timing, E-10 
instruction specification, 26-270 
one-byte opcode map, A-5 
STD (set direction flag), 
flag cross- -reference, B-2 
instruction format and timing, E-10 
instruction specification, 26-271 
one-byte opcode map, A-5 — 
STI (set interrupt flag), 
flag cross-reference, B- 2 | 
instruction format and timing, E-10 
instruction specification, 26-272 
one-byte opcode map, A-5 
STI (set interrupt-enable flag), 
and INTR interrupts, 9-3 
sensitive instructions, 8-6 
STOS (store string data), 
flag cross-reference, B-2 
general description, 3-30. 
instruction format and timing, E-9 
instruction specification, 26-273 
STOSB (store string data), | 
instruction specification, 26-273 
one-byte opcode map, A-4, A-5 
STOSD (store string data), 
instruction specification, 26-273 
- .one-byte opcode map, A-4, A-5 
STOSW (store string data), 
instruction specification, 26-273 
one-byte opcode map, A-4, A-5 
STR (store task register), 
and task register description, 7-6 
flag cross-reference, B-2 
instruction format and timing, E-12 
instruction specification, 26-275 
modR/M byte opcodes, A-8 
string, data type, 2-6 
string insertion/extraction, and double- shift 
instructions, 3-19 
string instructions, and EFLAGS register, 2- 13 
string operations, — 
and application programming, 3-27 
and default segment selection, 2-19 
SUB (integer subtract), | 
flag cross-reference, B-2 
instruction specification, 26-276 
modR/M byte opcodes, A-8 
one-byte opcode map, A-4, A-5 
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status flag summary, C-1 
SUB (subtract integers), instruction 
description, 3-7 | 
supervisor level, and addressable domain — 
restriction, 6-23 
synchronization, exceptions, 18-13, 18-14 
system control, instructions (system 
programming), 4-9 
system control flag, — 
AM (alignment mask — bit 18), 4- 7 
CD (cache disable —bit 30), 4-6» 
EM (emulation —bit 2), 4-7. 
ET (extension type —bit 4), 4-7 
MP (math present —bit 1), 4-7 
NE (numeric error—bit 5), 4-7 
PCD ee level cache disable — CR3 bit »; 
a ( Lae enable —bit 0), 4-8 
6 pane bit 31), 4-6 
Pw (page-level eae transparent —CR3 
bit 3), 4-6 
TS (task switched — bit3), 4-7 | 
WP (write protect —bit 16), 4-7 7 
system control flags, and CRO register, 4-5 
system flags, and system programming, 4-2 
system programming, and Intel486 Floating 
Point Processor (FPU), 19-1 
system tables, 
and protected iHiode initialization, 10-4 © 
and software initialization, 10-3 , 


T bit (trap bit of TSS), 
and BT bit, 11-4 
and debugging support, 11- i. 
table indicator bit, segment selectors, 5- 9 
tag, and cache associative memories, 12-1 
task, description, 7-1 _ 
task address mapping, logical to physical 
space, 7-14 
task address space, descripion, 7-13 
task creation, See copy-on-write strategy 
task gate descriptor, and protected task 
reference, 7-6 | 
task gates, 
and IDT descriptors, 9-7 
and task switching, 6-11, 7-1 


_ task linking, 


and Intel486 processor, 7-11 

and TSS (task state segment), 7-11 

modification of, 7-13 
task state segment, 

and stack switching, 6-15 

and TSS descriptor, 7-2 

description, 7-1 

descriptors and task switching, 7- 1 
task switching, © 

and exceptions, 7-1 

and Intel486 processor, 7-7 

and interrupts, 7-1 

and LDT switching, 7-1. 
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and page fault, 9-22 
and task gates, 6-11, 7-1 
and task state segment descriptors, 7-1 
task-switch breakpoint trap, Interrupt 1 
(debug exceptions), 9-14 | 
task-switch trap, Interrupt 1 (debug 
exceptions), 11-8 
tasks, 
and NT flag, 4-3 
and re-entrant code, 7-3 
initialization, 10-6 
TEST (logical compare), 
flag cross-reference, B-2 
instruction description, 3-23 
instruction format and timing, E-4 
instruction specification, 26-278 
-modR/M byte opcodes, A-8 
one-byte opcode map, A-4, A-5 
status flag summary, C-2 
test registers, and translation lookaside buffer 
(TLB), 4-8 | 
TF flag (trap flag), 
debugging support, 11-1 
system flag description, 4-3 
three-operand instructions, 
and ECX register, 2-18 
description of, 2-18 | 
TLB (translation lookaside buffer), 
initialization testing, 10-6 
structure of, 10-7 
test operations, 10-10 
test registers, 10-8 
top-of-stack (TOS), 
and ESP register, 2-12 
and PUSH instruction, 3-2 : 
TR4 (test status register), cache test register, 
TR6 (test command register), TLB test 
register, 10-8 
TR7 te data register), TLB test register, 
10-9 


TR (task register), 
and current TSS, 7-4 
register description, 4-5 
transcendental instructions, floating-point 
instructions, 17-4 
transferring control, in 16-bit and 32-bit 
environments, 24-3 
translation lookaside buffer (TLB), 
and page translation, 5-18, 5-22 
and test registers, 4-8 
trap gates, 
and exceptions, 6-11 
and IDT descriptors, 9-7 
traps, 
exception conditions, 9-13 
exception description, 9-2 
exception processor-detected, 9-1 
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trigonometric calculation, numeric 
programming, 20-7 
TS (task switched —bit3), system control flag, 
TSS Busy bit, automatic locking, 13- 3 
TSS (task state segment), 
and I/O permission bit map, 8-7 
and Intel 286 processor compatibility, 7-2 
and processor state information, 7-2 
and task linking, 7-11 
two-operand instructions, description of, 2-17 | 
type, segment descriptors, 5-12 | 
type checking, 
and protection mechanism, 6-24 
segment descriptors, 6-3 
type field, segment descriptors, 5-13 


underflow exception, 

and denormal values, 16-3 

and inexact exception, 16-26 

and numeric underflow, 16-25 
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ritabl bit, d dat t des t 6- a instruction specification, 26-288 
awrite ee Pa ere sci crip 7 modR/M byte opcodes, A-8 


flag cross-reference, B-2 
instruction format and timing, E- 9 ae 


and accessed bit, 5-21. | one-byte opcode map, A-4 

and dirty bit, 5- Y -__- Status flag summary, C-2 ._. 
write protection, and user- -mode | pages, 6- 24 | eae oe 
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Pioneer Technologies Group | 
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Duluth 30136 
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FAX: (404) 623-0665 
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- Norcross 30092 
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ILLINOIS 


: Arrow/Schweber Electronics 


1140 W. Thorndale Rd. 
Itasca 60143 


. Tel: (708) 250-0500 


Avnet Computor 
1124 Thorndale Avanua 


_ Bensenville 60106 


Tel: (708) 860-8572 
FAX: (708) 773-7976 


~" Hamilton Hallmark *. 
‘’ 1180 Thorndale Avenue 
‘- Bensenville 60106 


Tel: (708) 860-7780 


> FAX: (708) 860-8530 — 
' MTI Systems 


1140 W. Thorndale Avenue 
Itasca 60143 

Tel: (708) 250-8222 ~ 

FAX: (708) 250-8275 


’. Pioneer Standard 


2171 Executive Dr., #200 
Addison 60101 

Tel: (708) 495-9680- 
FAX: (708) 495-9831 


Wyle Laboratories 


: 2055 Army Trail nad: #140 
- Addison 60101 

- ' Tel: (800) 853-9953 

FAX: (708) 620-1610 


INDIANA 


'- Arrow/Schweber Electronics 


7108 Lakeview Parkway ba Dr. 
Indianapolis 46268 
Tel: (317) 299-2071 


~! FAX: (317) 299-2379 


~ Avnet Computer 


485 Gradle Drive 
Carmel 46032 


Tel: (317) 575-8029 


FAX: (317) 844-4964 


Hamilton Hallmark 


’ 4275 W. 96th 
‘, Indianapolis 46268° ~ 
- Tel: (817) 872-8875 
FAX: (317) 876-7165 


Pioneer Standard 

9350 Priority Way West Dr. 
Indianapolis 46250 

Tel: (317) 573-0880 

FAX: (317) 573-0979 
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NORTH AMERICAN DISTRIBUTORS (Contd.) 


KANSAS 


Arrow/Schweber Electronics 
9801 Legler Road 

Lenexa 66219 

Tel: (913) 541 9542 

FAX: (913) 541-0328 


Avnet Computer 
15313 W. 95th Street . 
Lenexa 61219 

Tel: (913) 541-7989 
FAX: (913) 541-7904 


Hamilton Hailmark 
10809 Lakeview Avenue 
Lenexa 66215 

Tel: (913) 888-4747 
FAX: (913) 888-0523 


KENTUCKY 


Hamilton Hallmark «© 
1847 Mercer Road, #G 
Lexington 40511 

Tel: (800) 235-6039 ~ 
FAX: (606) 288-4936 


MARYLAND 


Anthem Electronics 

.7168A Columbia Gateway Drive © 
Columbia 21046 

Tel: (410) 995-6640 

FAX: (410) 290-9862 


Arrow Commercial Systems tage 
200 Perry Parkway 

Gaithersburg 20877 

Tel: (301) 670-1600 

FAX: (301) 670-0188 


Arrow/Schweaber Electronics 
9800J Patuxent Woods Dr. 
Columbla 21046 

Tel: (301) 596-7800 

FAX: (301) 995-6201 


Avnet Computer - 

7172 Columbia Gateway Dr., #G 
Columbia 21045 

Tel: (801) 995-3571 

FAX: (301) 995-3515 © 


Hamilton Hallmark 
10240 Old Columbia Road 
Columbia 21046 

Tel: (410) 988-9800 

FAX: (410) 381-2036 


North Atlantic Industries 
Systems Division 

7125 River Wood Dr. . 

Columbia 21046 

Tel: (301) 312-5800 

FAX: (301) 312-5850 


Pioneer Technologies Group 
15810 Gaither Road 
Gaithersburg 20877 

Tel: (301) 921-0660 

FAX: (301) 670-6746 


Wyle Laboratories 

7180 Columbia Gateway Dr. 
Columbia 21046 

Tel: (410) 312-4844 

FAX: (410) 312-4953 


MASSACHUSETTS 


Anthern Electronics 
36 Jonspin Road 
Wilmington 01887 
Tel: (508) 657-5170 
FAX: (508) 657-6008 


Arrow/Schweber Electronics 
25 Upton Dr. 

Wilmington 01887 

Tel: (508) 658-0900 

FAX: (508) 694-1754 


Avnet Computer 

10 D Centennial Drive 
Peabody 01960 
Tel: (508) 532-9886 
FAX: (508) 532-9660 - 


Hamilton Hallmark 

10 D Centennial Drive 
Peabody 01960 

Tel: (508) 531-7430 - 
FAX: (508) 532-9802 


Pioneer Standard 
44 Hartwell Avenue. 
Lexington 02173 


> Tel: (617) 861-9200. 


FAX: (617) 863-1547 


Wyle Laboratories 
15 Third Avenue 
Burlington 01803 
Tel: (617) 272-7300 
FAX: (617) 272-6809 


MICHIGAN 


Arrow/Schweber Electronics 
19880 Haggerty Road 
Livonia 48152 

Tel: (800) 231-7902 

FAX: (313) 462-2686 


Avnet Computer 

2876 28th Street, S.W., #5 
Grandville 49418 

Tel: (616) 531-9607 

FAX: (616) 531-0059 


Avnet Computer 
41650 Garden Brook Rd. #120 
Novi 48375 


Tel: (313) 347-1820 


FAX: (313) 347-4067. 


Hamilton Hallmark = 

44191 Plymouth Oaks Bivd., #1300 
Plymouth 48170 

Tel: (313) 416-5800 

FAX: (313) 416-5811 


Hamilton Hallmark 
41650 Garden Brook Rd., #100 


' Novi 49418 


Tel: (313) 347-4271 
FAX: (313) 347-4021 


_ Pioneer Standard | 


4505 Broadmoor S.E. 
Grand Rapids 49512 
Tel: (616) 698-1800. fi 
FAX: (616) 698-1831 2 


Pioneer Standard 
13485 Stamford 
Livonia 48150 > 
Tel: (313) 525-1800 
FAX: (313) 427-3720. 


MINNESOTA 


_ Anthem Electronics 


7646 Golden Triangle Drive 
Eden Prairie 55344 


~ Tel: (612) 944-5454 


FAX: (612) 944-3045 - 


Arrow/Schweber Electronics 
10100 Viking Drive, #100 


.". Eden Prairie 55344 
'” Tel: (612) 941-5280 
’ FAX: (612) 942- 7803 


Avnet Computer 
10000 West 76th Street 
Eden Prairie 55344 .. 
Tel: (612) 829-0025 


. FAX: (612) 944-2781. 
' . Hamilton Hallmark 


9401 James Ave South, #140 
Bloomington 55431 


' Tel: (612) 881-2600 


FAX: (612) 881-9461 . 


Pioneer Standard . 
7625 Golden Triange Dr., #G 


_ Eden Prairie 55844 


Tel: (612) 944-3355 - 
FAX: (612) 944-3794: 


Wyle Laboratories. 
1325 E. 79th Street, #1 
Bloomington 55425 
Tel: (612) 853-2280 


_ FAX: (612) 853-2298 


MISSOURI 


| Arrow/Schweber Electronics 


2380 Schuetz Road 
St. Louis 63141 
Tel: (314) 567-6888 
FAX: (314) 567-1164 


Avnet Computer 


741 Goddard Avenue 
Chesterfield 63005 ' 
Tel: (314) 537-2725 


' FAX: (314) 537-4248 


Hamilton Hallmark 
3783 Rider Trail South 
Earth City 63045 

Tel: (314) 291-5350 
FAX: (314) 291-0362 


_ NEW HAMPSHIRE 
~ Avnet Computer 


2 Executive Park Drive 


: Bedford 03102 
’ Tel: (800) 442-8638 


FAX: (603) 624-2402 


NEW JERSEY 
Anthem Electronics 


* 26 Chapin Road, Unit K 


Pine Brook 07058 


_ Tel: (201) 227-7960 


FAX: (201) 227-9246 


Arrow/Schweber Electronics . 


4 East Stow Rd., Unit 11 
Marlton 08053 


= Tel: (609) 596-8000 - 


FAX: (609) 596-9632 | 


-. Arrow/Schweber Electronics 
' 43 Route 46 East 


Pine Brook 07058 
Tel: (201) 227-7880 | 
FAX: (201) 538- 4962. 


Avnet Computer 
1-B Keystone Ave., Bidg. 36 
Cherry Hill 08003" . 


- Tel: (609) 424-8961 © 


FAX: (609) 751-2502 


Hamilton Hallmark 

1 Keystone Ave., Bidg. 36 
Cherry Hill 08003 

Tel: (609) 424-0110 

FAX: (609) 751-2552 


Hamilton Hallmark 
10 Lanidex Plaza West 
Parsippani 07054. 


- Tel: (201) 515-5300 


FAX: (201) 515-1601 


' MTI Systems 


43 Route 46 East 


_ Pinebrook 07058 


Tel: (201) 882-8780 
FAX: (201) 539-6430 


Pioneer Standard 


_ 14-A Madison Rd. 


Fairfield 07006 


— Tel: (201) 575-3510 


FAX: (201) 575-3454 


. Wyle Laboratories 


20 Chapin Road, Bidg. 10- 13 


. Pinebrook 07058 


Tel: (201) 882-8358 
FAX: (201) 882-9109 


NEW MEXICO 


Alliance Electronics, tnc. — 
10510 Research Ave.: 
Albuquerque 87123 

Tel: (505) 292-3360 

FAX: (505) 275-6392 


. Avnet Computer 


7801 Academy Rd. 
Bldg. 1, Suite 204 
Albuquerque 87109 
Tel: (505) 828-9725 
FAX: (505) 828-0360° 


' NEW YORK 


Anthem Electronics 
47 Mall Drive 
Commack 11725 
Tel: (516) 864-6600 
FAX: (516) 493-2244 


Arrow/Schweber Electronics. a 


3375 Brighton Henrietta 


_ Townline Rd. 


Rochester 14623 
Tel: (716) 427-0300 . 
FAX: (716) 427-0735 


- Arrow/Schweber Electronics 
- 20 Oser Avenue 
’ Hauppauge 11788 


Tel: (516) 231-1000 
FAX: (516) 231-1072. 


~ Avnet Computer 
' 933 Motor Parkway 


Hauppauge 11788 
Tel: (616) 434-7443 
FAX: (516) 434-7426 


~~ Avnet Computer 


2060 Townline Rd. 
Rochester 14623 
Tel: (716) 272-9110 
FAX: (716) 272-9685 


Hamilton Hallmark 
933 Motor Parkway 
Hauppauge 11788 
Tel: (516) 434-7470 
FAX: (516) 434-7491 


Hamilton Hallmark 


_ 1057 E. Henrietta Road 
’ Rochester 14623 


Tel: (716) 475-9130 
FAX: (716) 475-9119 


Hamilton Hallmark 


..- 3075 Veterans Memorial Hwy. 
- Ronkonkoma 11779 ' 


Tel: (516) 737-0600 
FAX: (516) 737-0838 


MTI Systems 
1 Penn Plaza 


. 250 W. 34th Street 


New York 10119 
Tel: (212) 643-1280 
FAX: (212) 643-1288 


Pioneer Standard 

68 Corporate Drive - 
Binghamton 13904 
Tel: (607) 722-9300 
FAX: (607) 722-9562 . 


~ Pioneer Standard 


60 Crossway Park West 
Woodbury, Long Island 11797 


. Tel: (516) 921-8700 
. FAX: (516) 921-2143 | 


Pioneer Standard 
840 Fairport Park | 
Fairport 14450 


Tel: (716) 381-7070 


FAX: (716) 381-5955 


Zeus Arrow Electronics 
100 Midland Avenue 
Port Chester 10573 
Tel: (914) 937-7400 
FAX: (914) 937-2553 © 


NORTH CAROLINA 


Arrow/Schweber Electronics 
5240 Greensdairy Road 


-. Raleigh 27604 
_ Tel: (919) 876-3132 


FAX: (919) 878-9517 


_ Avnet Computer 


2725 Millbrook Rd., #123 
Raleigh 27604 

Tel: (919) 790-1735 

FAX: (919) 872-4972 


Hamilton Hallmark 


* 5234 Greens Dairy Road 

~ Raleigh 27604 

— Tel: (919) 878-0819 
FAX: (919) 878- 8729 


Pioneer Technologies Group. - 
2200 Gateway Ctr. Blvd, #215 
Morrisville 27560 ~~ 

Tel: (919) 460-1530 

FAX: (919) 460-1540 


OHIO 


Arrow Commercial Systems Group 
284 Cramer Creek Court 
Dublin 43017 

Tel: (614) 889-9347 


_ FAX: (614) 889-9680 


‘ Arrow/Schweber Electronics 


6573 Cochran Road, #E 
Solon 44139 : 
Tel: (216) 248-3990 
FAX: (216) 248-1106 


Arrow/Schweber Electronics | 
8200 Washington Village Dr. 
Centerville 45458 

Tel: (513) 435-5563 

FAX: (513) 435-2049 


Avnet Computer 

7764 Washington Village Dr. 
Dayton 45459 

Tel: (513) 439-6756 

FAX: (513) 439-6719 


Avnet Computer 


' 30325 Bainbridge Rad., Bldg. A 


Solon 44139 
Tel: (216) 349-2505 


FAX: (216) 349-1894 


Hamilton Hallmark 

7760 Washington Village Dr. 
Dayton 45459 

Tel: (513) 439-6735 

FAX: (513) 439-6711 


Hamilton Hallmark 
5821 Harper Road 
Solon 44139 

Tel: (216) 498-1100 


. FAX: (216) 248-4803 


Hamilton Hallmark ; 
777 Dearborn Park Lane, 4L . 
Worthington 43085 ; 

Tel: (614) 888-3313 

FAX: (614) 888-0767 


MTI Systems 
23404 Commerce Park Rd. 
Beachwood 44122 


" Tel: (216) 464-6688 


FAX: (216) 464-3564 


Pioneer Standard . 


| 4433 Interpoint Boulevard 


Dayton 45424 
Tel: (513) 236-9900 


~ FAX: (513) 236-8133 


Pioneer Standard 
4800 E. 131st Street 
Cleveland 44105 
Tel: (216) 587-3600 
FAX: (216) 663-1004 


OKLAHOMA 


Arrow/Schweber Electronics 
12101 E. 51st Street, #106 
Tulsa 74146 

Tel: (918) 252-7537 

FAX: (918) 254-0917 


~ Hamilton Hallmark 
5411S. 125th E. Ave., #305 


Tulsa 74146 
Tel: (918) 254-6110 
FAX: (918) 254-6207 


Pioneer Standard 

9717 E. 42nd St., #105 
Tulsa 74146 

Tel: (918) 665-7840 
FAX: (918) 665-1891 


CG/SALE/111293 


In 


OREGON 


Almac Arrow Electronics 
1885 N.W. 169th Place 
Beaverton 97006 

Tel: (503) 629-8090 
FAX: (503) 645-0611 


Anthem Electronics 
9090 S.W. Gemini Drive 
Beaverton 97005 

Tel: (503) 643-1114 
FAX: (503) 626-7928 


Avnet Computer 


9750 Southwest Nimbus Ave. 


Beaverton 97005 
Tel: (503) 627-0900 
FAX: (502) 526-6242 


Hamilton Hallmark 
9750 S.W. Nimbus Ave. 
Beaverton 97005 

Tel: (503) 526-6200 
FAX: (503) 641-5939 


Wyle Laboratories 
9640 Sunshine Court 
Bldg. G, Suite 200 
Beaverton 97005 
Tel: (503) 643-7900 
FAX: (503) 646-5466 


PENNSYLVANIA 


Anthem Electronics 

355 Business Center Dr. 
Horsham 19044 

Tel: (215) 443-5150 
FAX: (215) 675-9875 


Avnet Computer 

213 Executive Drive, eco 
Mars 16046 

Tel: (412) 772-1888 

FAX: (412) 772-1890 


Pioneer Technologies Group 
259 Kappa Drive 

Pittsburgh 15238 

Tel: (412) 782-2300 

FAX: (412) 963-8255 


Pioneer Technologies Group 
500 Enterprise Road 

Keith Valley Business Center 
Horsham 19044 

Tel: (713) 530-4700 


Wyle Laboratories 
ves Drive, #111 
Marlton 08053-3185 
Tel: (609) 985-7953 
FAX: (609) 985-8757 


TEXAS 


Anthem Electronics 

651 N. Plano Road, #401 
Richardson 75081 

Tel: (214) 238-7100 

FAX: (214) 238-0237 


Arrow/Schweber Electronics 
11500 Metric Blvd., #160 
Austin 78758 

Tel: (512) 835-4180 

FAX: (512) 832-5921 


NORTH AMERICAN DISTRIBUTORS (Contd.) 


Arrow/Schweber Electronics 
3220 Commander Dr 
Carrollton 75006 

Tel: (214) 380-6464 

FAX: (214) 248-7208 


Arrow/Schweber Electronics 
10899 Kinghurst Dr., #100 
Houston 77099 

Tel: (713) 530-4700 


Avnet Computer 

4004 Beltline, Suite 200 
Dallas 75244 

Tel: (214) 308-8181 
FAX: (214) 308-8129 


Avnet Computer 

1235 North Loop West, #525 
Houston 77008 

Tel: (713) 867-8572 

FAX: (713) 861-6851 


Hamilton Hallmark 
12211 Technology Blvd. 
Austin 78727 

Tel: (512) 258-8848. 
FAX: (512) 258-3777 


Hamilton Hallmark 

. 11420 Page Mill Road 
Dallas 75243 
Tel: (214) 553-4300 
FAX: (214) 553-4395 


Hamilton Hallmark 
8000 Westglen 
Houston 77063 

Tel: (713) 781-6100 
FAX: (713) 953-8420 ~ 


Pioneer Standard 
1826-D Kramer Lane 
Austin 78758 

Tel: (612) 835-4000 
-FAX: (512) 835-9829 


Pioneer Standard 
13765 Beta Road 
Dallas 75244 

Tel: (214) 263-3168 
FAX: (214) 490-6419 


Pioneer Standard 
- 10530 Rockley Road, #100 
Houston 77099 
Tel: (713) 495-4700 
FAX: (713) 495-5642 


Wyle Laboratories 
°1810 Greenville Avenue 
Richardson 75081 

Tel: (214) 235-9953 
FAX: (214) 644-5064 


Wyle Laboratories 


4030 West Braker Lane, #330 


Austin 78758 
Tel: (512) 345-8853 
* FAX: (512) 345-9330 


Wyle Laboratories 

11001 South Wilcrest, #100 
Houston 77099 

Tel: (713) 879-9953 

FAX: (713) 879-6540 


UTAH 


Anthem Electronics 
1279 West 2200 South 
Salt Lake City 84119 
Tel: (801) 973-8555 
FAX: (801) 973-8909 


Arrow/Schweber Electronics 
1946 W. Parkway Blvd. 

Salt Lake City 84119 

Tel: (801) 973-6913 

FAX: (801) 972-0200 


Avnet Computer 

1100 E. 6600 South, #150 
Salt Lake City 84121 

Tel: (801) 266-1115 

FAX: (801) 266-0362 


Hamilton Hallmark 

1100 East 6600 South, #120 
Salt Lake City 84121 

Tel: (801) 266-2022 

FAX: (801) 263-0104 


Wyle Laboratories 
1325 West 2200 South, #E 
West Valley 84119 

Tel: (801) 974-9953 


_ FAX: (801) 972-2524 


WASHINGTON 


Almac Arrow Electronics 
14360 S.E. Eastgate Way 
Bellevue 98007 

Tel: (206) 643-9992 


_ FAX: (206) 643-9709 


Anthem Electronics 

19017 - 120th Ave., N.E. #102 
Bothell 98011 

Tel: (206) 483-1700 

FAX: (206) 486-0571 


Avnet Computer 
17761 N.E. 78th Place 
Redmond 98052 

Tel: (206) 867-0160 
FAX: (206) 867-0161 


~ Hamilton Hallmark 


8630 154th Avenue 
Redmond 98052 
Tel: (206) 881-6697 
FAX: (206) 867-0159 


Wyle Laboratories 
15385 N.E. 90th Street 
Redmond 98052 

Tel: (206) 881-1150 


- FAX: (206) 881-1567 © 


WISCONSIN 


Arrow/Schweber Electronics 
200 N. Patrick, #100 
Brookfield 53045 

Tel: (414) 792-0150 

FAX: (414) 792-0156 


Avnet Computer 


. 20875 Crossroads Circle, #400 


Waukesha 53186 
Tel: (414) 784-8205 
FAX: (414) 784-6006 


Hamilton Hallmark 
2440 S. 179th Street 
New Berlin 53146 
Tel: (414) 797-7844 
FAX: (414) 797-9259 


Pioneer Standard 

120 Bishop Way #163 
Brookfield 53005 

Tel: (414) 784-3480 
FAX: (414) 780-3613 


Wyle Laboratories 
W226 N555 Eastmound Drive 
Waukesha 53186 

Tel: (414) 521-9333 

FAX: (414) 521-9498 


ALASKA 


Avnet Computer 
1400 West Benson Blvd., #400 


| Anchorage 99503 


Tel: (307) 274-9899 
FAX: (907) 277-2639 


CANADA 


ALBERTA 


Avnet Computer 

2816 21st Street Northeast 
Calgary T2E 6Z2 

Tel: (403) 291-3284 

FAX: (403) 250-1591 


Zentronics 

6815 8th Street N.E., #100 
Calgary T2E 7H 

Tel: (403) 295-8838 

FAX: (403) 295-8714 


- BRITISH COLUMBIA 


Almac Arrow Electronics 
8544 Baxter Place 


“ Burnaby V5A 4T8 
-. Tel: (604) 421-2333 
- FAX: (604) 421-5030 


Hamilton Hallmark 
8610 Commerce Court 
Burnaby V5A 4N6 

Tel: (604) 420-4101 
FAX: (604) 420-5376 


Zentronics 
11400 Bridgeport Rd., #108 


Richmond V6X 1T2 


Tel: (604) 273-5575 
FAX: (604) 273-2413 


ONTARIO 


Arrow/Schweber Electronics 
1093 Meyerside, Unit 2 


’ Mississauga L5T 1M4 


Tel: (416) 670-7769 
FAX: (416) 670-7781 


Arrow/Schweber Electronics 
36 Antares Dr., Unit 100 


- Nepean K2E 7W5 


Tel: (613) 226-6903 
FAX: (613) 723-2018 


Avnet Computer 

Canada System Engineering Group 
151 Superior Blvd. 
Mississuaga L5T 2L1 

Tel: (416) 795-3835 

FAX: (416) 677-5091 


Avnet Computer 

190 Colonade Road 
Nepean K2E 7J5 
Tel: (613) 727-2000 . 
FAX: (613) 226-1184 


Hamilton Hallmark 

151 Superior Bivd., Unit 1-6 
Mississauga L5T 2L1 

Tel: (416) 564-6060 

FAX: (416) 564-6033 


Hamilton Hallmark 
190 Colonade Road 
Nepean K2E 7J5 
Tel: (613) 226-1700 
FAX: (613) 226-1184 


Zentronics 

5600 Keaton Crescent, #1 
Mississauga L5R 3S5 

Tel: (416) 507-2600 

FAX: (416) 507-2831 


Zentronics 
nee 55 Colonnade Rd., ouu 


| Nepsee K2E 7K1 


Tel: (613) 226-8840 
FAX: (613) 226-6352 


QUEBEC 


Arrow/Schweber Electronics 
1100 St. Regis Blvd. 

Dorval H9P 2T5 

Tel: (614) 421-7411 

FAX: (514) 421-7430 


Arrow/Schweber Electronics . 


- 500 Boul. St.-Jean- “Baptiste AVG: i. 


Quebec H2E 5R9 


Tel: (418) 871-7500 
FAX: (418) 871-6816 


Avnet Computer 
2795 Reu Halpern 
St. Laurent H4S 1P8 
Tel: (514) 335-2483 
FAX: (514) 335-2481 


Hamilton Hallmark 


_ 7575 Transcanada Highway 


#600 

St. Laurent H4T 2V6 
Tel: (514) 335-1000 
FAX: (514) 335-2481 


Zentronics 

520 McCaffrey 

St. Laurent H4T 1N3 
Tel: (514) 737-9700 
FAX: (514) 737-5212. 
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FINLAND 


Intel Finland OY 
Ruosilantie 2 

00390 Helsinki 

Tel: (358) 0 544 644. 
FAX: (358) 0 544 030 


FRANCE 


Intel Corporation S.A.R.L. 
1, Rue Edison-BP 303 


78054 St. Quentin-en-Yvelines:. 


Cedex 
Tel: (33) (1) 30 57 70 00. 
FAX: (33) (1) 30 64 60 32. 


EUROPEAN SALES OFFICES 


GERMANY 


Intel GmbH 

Dornacher Strasse 1° 
85622 Feldkirchen/Muenchen 
Tel: (49) 089/90992-0 

FAX: (49) 089/9043948 | 


ISRAEL 
Intel Semiconductor Ltd. - 


Atidim industrial Park-Neve Sharet_ | 


P.O. Box 43202 
Tel-Aviv 61430 : 
Tel: (972) 03 498080 
FAX: (972) 03 491870 


: ITALY 


Intel Corporation Italia S. .p. A. 
Milanofiori Palazzo E - 
20094 Assago 


_ Milano 


Tel: (39) (2) 575441 
FAX: (39) (2) 3498464 


NETHERLANDS . 


Intel Semiconductor B.V. 
Postbus 84130 


- 3009 CC Rotterdam 


Tel: (31) 10 407 11 11 
FAX: (31) 10 455 4688 


RUSSIA — 


Intel Technologies, Inc. - 
Krementshugskaya 6/7 
121357 Moscow . 

Tel: 007-095-4439785 
FAX: 007-095-4459420:° 


- TLX: 612092 smail su. 


SPAIN 


Intel Iberia S.A. 
Zubaran, 28 

28010 Madrid 

Tel: (34) (1) 308 2552 
FAX: (34) (1) 410 7570 


SWEDEN 


Intel Sweden A.B. 
Dalvagen 24 


171 36 Solna 
. Tel: (46) 8 705 5600 


FAX: (46) 8 278085 


UNITED KINGDOM 


Inte! Corporation (U.K.) Ltd. 
Pipers Way 


Swindon, Wiltshire SN3-1RJ . 


Tel: (44) (0793) 696000. 
AX: (44) (0793) 641440 ~ 


_ EUROPEAN DISTRIBUTORS/REPRESENTATIVES 


AUSTRIA 


t*Elbatex GmbH 
Eitnergasse 6 

A-1231 Wien 

Tel: (43) 1816020 — 
FAX: (43) 181652141 


tSpoerle Electronic - 
Heiligenst. Str. 62 
A-1190 Wien 

Tel: (43) 1 318:72 700. 
FAX: (43) 1 369 22 73 


BELGIUM 

t*Inelco Distribution 

Avenue des Croix de Guerre 94 
1120 Bruxelles 

Tel: (32) 2 244 2811 

FAX: (32) 2 216 3304 


*Diode Belgium 
Keiberg Il, 
1930 ventem 
Tel: (82) 2 7254660: 
FAX: (32) 2 725 45 11 


DENMARK |... .. 


*Avnet Nortec A/S 
Transformervej 17 
DK-2730 Herlev 

Tel: (45) 4284 2000 
FAX: (45) 4492 1552: . 


t*ITT sla AS 
Naverland 29 

DK-2600 Glostrup . 

Tel: (45) 4245 6645 

FAX: (45) 4245 7624 


FINLAND 


t*OY Fintronic AB 
Pyyntitie, 3 

02230 Espoo 

Tel: (358) 0 887 331 
FAX: (358) 0 887 33 343 


FRANCE 


*Arrow Electronique . 
73-79 Rue des Solets 
Silic 585 

94663 Rungis Cedex 
Tel: (33) (1) 4978 4978 
FAX: (33) (1) 4978 0596 


*Avnet 

79, rue Pierre Semard 
92322 Chatillon 

Tel: (33) (1) 4965 2500 
FAX: (33) (1) 4965 2769 


tMetrologie 

Tour d’Asnieres 

4, Avenue Laurent Cely 
92606 Asnieres Cedex 

Tel: (33) (1) 4080 9000 
FAX: (33) (1) 4791 0561 


*Tekelec 

Cite des Bruyeres 

5, Rue Carle Vernet-BP 2 
92310 Sevres 

Tel: (33) (1) 4623 2425 
FAX: (33) (1) 4507 2191 


‘Components _ 
tSystems'  - 
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GERMANY 


*Avnet Electronic 2000 
Stahigruberring 12 
81829 Muenchen 

Tel: (49) 89 45110-01 
FAX: (49) 89 45110129 


*Jermyn GmbH 

Im Dachsstueck 9: 
65549 Limburg 

Tel: (49) 6431 5080 
FAX: (49) 6431 508289 


tMetrologie GmbH 
Steinerstrasse 15 «— 
81369 Muenchen ._ 
Tel: (49) 89 724470 - 
FAX: (49) 89 72447111 


*Proelectron Vertriebs GmbH . 
Max-Planck-Strasse 1-3 


-, 63303 Dreieich’ 
' ~ Tel: (49) 6103 304343. 
“FAX: (49) 6103 304425 


tRein Elektronik GmbH | 
Loetscher Weg 66 
41303 Nettetal _ 

Tel: (49) 2153 7330 


- FAX: (49) 2153 733513 


GREECE 


tErgodata » 
z Aigiroupoleos 2A 
. 176 76 Kalithea 
Tel: (30) 1 95 10 922 


FAX: (30) 1 95 93 160 


 *Pouliadis Associates Corp. i 
’ Aristotelous St. 3/Sygrou v. 150 : 


Athens 17671 . 
Tel: (30) 1 924 2072 
FAX: (30) 1 924 1066 . 


IRELAND 
t*Micro Marketing. 


‘Taney Hall 
’ Eglinton Terrace 
~ Dundrum 


Dublin 14 
Tel: (353) (1) 298 9400 
FAX: (353) (1) 298 9828 


ISRAEL 


+*Eastronics Limited 
Rozanis 11 

P.O.B. 39300 

Tel Baruch 

Tel-Aviv 61392 

Tel: (972) 3 6458 777 
FAX: (972) 3 6458 666 


ITALY 


*intesi Div. Della Deutsche 
Divisione ITT Industries GmbH 
P.I. 06550110156 

Milanofiori Palazzo e5 

20094 Assago (Milano) 

Tel: (39) 2 824701 

FAX: (39) 2 8242631 


*Lasi Elettronica 

P.|. 00839000155 

Viale Fulvio Testi, N. 280 
20126 Milano 

Tel: (39) 2 661431. 

FAX: (39) 2 66101385 


tOmnilogic Telcom 


”.. Via Lorenteggio 270/A 


20152 Milano. 
Tel: (39) 2 48302640 
FAX: (39) 2 43802010 - 


NETHERLANDS 
“+ tDateicom B.V. 


Meidoornkade 22 
3993 AE Houten . 
Tel: (31) 3403 57222 


FAX: (31) 3403 57220 — 


. *Diode Components 
' Coltbaan 17 


3439 NG Nieuwegein 
Tel: (31) 3402 9 12 34 
FAX: (31) 3402 3 59 24 


t*Koning en Hartman ete 
Energieweg 1 


-. 2627 AP Delft 

- Tel: (31) 15 609 906... 
"FAX: (31) 15 619 194 
_. NORWAY 


- *Avnet Nortec A/S 


Postboks 123 . 
N-1364 Hvalstad 


Tel: (47) 284 6210 


FAX: (47) 284 6545 - 


' tComputer System Integration NS 


Postbox 198 
N-2013 Skjetten 
Tel: (47) 638 45 411 


_ FAX: (47) 638 45 310 » 


~ PORTUGAL 
'- *ATD Electronica LDA 


Edificio Altejo 

Rua 3 piso 5-sala 505 
Urbanizacao de Matinha 
1900 Lisboa 

Tel: (351) (1) 858 0191 /2 
FAX: (351) (1) 858 7841 


tMetrologia Iberica Portugal 

Rua Dr. Faria de Vasconcelos 3A 
1900 Lisboa 

Tel: (851) (1) 847 2202 

FAX: (351) (1) 847 2197 


SOUTH AFRICA 


T*EBE 

PO Box 912-1222 
Silverton 0127 

178 Erasmus Street 
Meyerspark 

Pretoria 0184 

Tel: (27) 12 803 7680-93 
FAX: (27) 12 803 8294 


SPAIN 


*ATD Electronica 


’. Avenue de la Industria, 32, 2B. 


28100 Alcobendas 
Madrid , 
Tel: (34) (1) 661 6551 
FAX: (34) (1) 661 6300 


tMetrologia Iberica - 
Avda. Industria, 32-2 
28100 Alcobendas 
Madrid 

Tel: (34) (1) 661 1142 
FAX: (34) (1) 661 5755 . 


SWEDEN 


tAvnet Computer AB 
Box 184 
S-123 23 Farsta 

Tel: (46) 8 705 18 00. 
FAX: (46) 8 735 2373 . 


*Avnet Nortec AB . 


- Box 1830 


S-171 27 Solna 
Tel: (46) 8705 1800 


_ FAX: (46) 883 6918 


*ITT Multikomponent AB 
Ankdammsgatan 32 

Box 1330 

S-171 26 Soina 

Tel: (46) 8 830020 
FAX: (46) 8 271303 | 


SWITZERLAND 


tElbatex AG 

Hardstr. 7 ; 
CH-5430 Wettingen | 
Tel: (41) 56 27 50 00 
FAX: (41) 27 19 24 © 


tFabrimex AG 
Kirchenweg 5 
CH-8032 Zurich 

Tel: (41) 1 386 86 86 
FAX: (41) 1 383 23 79 


tiMIC Microcomputer 
Zurichstrasse 
CH-8185 Winkel-Ruti 
Tel: (41) (1) 8620055 
FAX: (41) (1) 8620266 


t*Industrade AG 
Hertistrasse 31 
CH-8304 Wallisellen - 
Tel: (41) (1) 8328111 
FAX: (41) (1) 8307550 


TURKEY 


*Empa Electronic 
Florya Is Merkezi 
Besyol Londra Asfalti 
34630 Florya Istanbul 
Tel: (90) (1) 599 3050 
FAX: (90) (1) 599 3061 


UNITED KINGDOM 


*Arrow Electronics 


’ $t. Martins Business Centre 


Cambridge Road 
Bedford - MK42 OLF 

Tel: (44) 234 270272: 
FAX: (44) 234 211434 


*Avnet EMG Ltd. 

Jubilee House... 
Jubilee Road : 
Letchworth : 


_ Hertsfordshire - SG6 1QH 


Tel: (44) 462 488 500 
FAX: (44) 462 488 567 


*Bytech Components 
12a Cedarwood 


‘ Chineham Business Park 


4 Crockford Lane 
Basingstoke _ 


'. Hants RG12 1RW 
~ .. Tel: (44) 256 707 107 
' FAX: (44) 256 707 162 © 


c eh ech Systems . 


e Sterling Centre 
Eastern Road 
Bracknell 
Berks - RG12 2PW 
Tel: (44) 344 55 333 
FAX: (44) 344 867 270: 


*Datrontech 


. 42-44 Birchett Road. 


Aldershot 


‘. Hants—GU11 1LU 


Tel: (44) 252 313155 


_ FAX: (44) 252 341939 |. 


*Jermyn Electronics ._.. 
Vestry Estate 
Otford Road 


"Sevenoaks 
'- Kent TN14 5EU 


Tel: (44) 732 743 743 


_ FAX: (44) 732 451 251 
; tMetrologie VA 


Rapid House 

Oxford Road 

High Wycombe 

Bucks - HP11 2E 

Tel: (44) 494 526 271 
FAX: (44) 494 421 860 


*MMD/Rapid Ltd. 
Rapid Silicon 

3 Bennet Court 
Bennet Road 

Reading 

Berks - RG2 0QX 

Tel: (44) 734 750 697 
FAX: (44) 734 313 255 
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AUSTRALIA 


Intel Australia Pty. Ltd. 

Unit 13 

Allambie Grove Business Park 
25 Frenchs Forest Road East 
Frenchs Forest, NSW, 2086 
Sydney 

Tel: 61-2-975-3300 

FAX: 61-2-975-3375 


Intel Australia Pty. Ltd. 
711 High Street 

1st Floor 

East Kw. Vic., 3102 
Melbourne 

Tel: 61-3-810-2141 
FAX: 61-3-819 7200 


BRAZIL 


Intel Semicondutores do Brasil 
Rua Florida, 1703-2 and CJ.22 
CEP 04565-001 Sao Paulo 

SP Brazil 

Tel: 55-11-530-2296 

FAX: 55-11-531-5765 


CHINA/HONG KONG 


Intel PRC Corporation . 
Room 517-518 

China World Tower 

1 Jian Guo Men Wai Avenue 
Beijing 100004 

Republic of China 

Tel: 861-505-0386 

FAX: 861-505-0383 


INTERNATIONAL SALES OFFICES 


Intel Semiconductor Ltd.* 
32/F Two Pacific Place 
88 Queensway 

Central 

Hong Kong 

Tel: (852) 844-4555 

FAX: (852) 868-1989 


INDIA 


Intel Asia Electronics, Inc. 
4/2, Samrah Plaza 

St. Mark's Road 

Bangalore 560001 

Tel: 91-80-215065 

FAX: 91-80-215067 

TLX: 953-845-2646 INTL IN 


JAPAN 


Intel Japan K.K. 

5-6 Tokodai, Tsukuba-shi 
Ibaraki, 300-26 

Tel: 0298-47-8511 

FAX: 0298-47-8450 


Intel Japan K.K.* 
Hachioji ON Bldg. 
4-7-14 Myojin-machi 
Hachioji-shi, Tokyo 192 
Tel: 0426-48-8770 ~ 
FAX: 0426-48-8775 


Intel Japan K.K.* 
Kawa-asa Bldg. 

2-11-5 Shin-Yokohama 
Kohoku-ku, Yokohama-shi 
Kanagawa, 222 

Tel: 045-474-7660 

FAX: 045-471-4394 


Intel Japan K.K.* 
Ryokuchi-Eki Bldg. 

2-4-1 Terauchi 
Toyonaka-shi, Osaka 560 
Tel: 06-863-1091 

FAX: 06-863-1084 


Intel Japan K.K. 
Shinmaru Bldg. 

1-5-1 Marunouchi ~ 
Chiyoda-ku, Tokyo 100 
Tel: 03-3201-3621 

FAX: 03-3201-6850 


Intel Japan K.K.* 

TK Gotanda Bldg. 9F 
8-3-6 Nishi Gotanda 
Shinagawa, Tokyo 141 
Tel: 03-3493-6081 
FAX: 03-3493-5951 


KOREA 


Intel Korea, Ltd. 

16th Floor, Life Bldg. 

61 Yoido- -dong, Youngdeungpo- -Ku 
Seoul 150-010 

Tel: (2) 784- 8186 

FAX: (2) 784-8096 


MEXICO 


Intel Lar Sivas de Mexico 
S.A. de C.V. 

Av. Mexico No. 2798- 9B, S.H. 
44680 Guadalajara, Jal. | 

Tel: 011-523-640-1259 

FAX: 011-523-642-7661 


SINGAPORE 


Inte! Singapore Technology, Ltd. 
101 Thomson Road #08-05 
United Square 

Singapore 1130 

Tel: (65) 250-7811 EA a 
FAX: (65) 250-9256 oe 


TAIWAN 


Intel Technology Far East Ltd. 

Taiwan Branch 

8th Floor, No. 205 

Bank Tower Bidg. 

Tung Hua N. Road 

Taipei 

Tel: 886-2-5144200 

FAX: 886-2-717-2455. 
886-2-719-6184 — 


INTERNATIONAL DISTRIBUTORS/REPRESENTATIVES 


ARGENTINA 


Dafsys Consulting S.A. 
Chacabuco, 90-6 Piso 
1069-Buenos Aires 

Tel. & FAX: 54.1334.1871 


AUSTRALIA 


NJS Electronics Australia 
1A/37 Ricketts Road 
Mount Waverley, VIC 3149 
Tel: 61-3-558-9868 

FAX: 61-3-558-9929 


NSD-Australia 

205 Middleborough Rd. 
Box Hilt, Victoria 3128 
Tel: 03 8900970 

FAX: 03 8990819 


BRAZIL 


Hitech 

Luis Carlos Berrini, 801 CJ121 
04571, Sao Paulo, SP Brazil 
Tel: 5511-536-0355 

FAX: 5511-240-2650 


Microlinear 
Avenida Wilhelm Winter, 345 
Distrito Industrial - Jundiai, SP 
13213-000 

Tel: 5511-732-6111 
FAX: 5511-732-2892 


CHILE 


Sisteco 

Vecinal 40—Las Condes 
Santiago 

Tel: 562-234-1644 

FAX: 562-233-9895 


CHINA/HONG KONG 


Novel Precision Machinery Co., Ltd. 


Room 728 Trade Square 
681 Cheung Sha Wan Road 
Kowloon, Hong Kong 

Tel: (852) 360-8999 

TWX: 32032 NVTNL HX 
FAX: (852) 725-3695 


*Field Ayplication Location 


GUATEMALA 
Abinitio 

11 Calle 2—Zona 9 
Guatemala City 
Tel: 5022-32-4104 
FAX: 5022-32-4123 


INDIA 


Priya International Limited . 

D-6, Il Floor 

Devatha Plaza 

131/132 Residency Rd. 
Bangalore 560 025 

Tel: 91-80-214027, 91-80-214395 
FAX: 91-80-214105 


Priya International Limited 

Apeejay House, 4th Floor — 

130 Apollo Street 

Bombay 400 023 

Tel: 91-22-2660949, 91-22-2665822 


Priya International Limited 

Flat No. 8, 10th Floor 

Akashdeep Building 

Barakhamba Rd. 

New Delhi 110 001 

Tel: 91-11-3314512, 91-11-3310413 
FAX: 91-11-3719107 


Priya International Limited 

5-J, Century Plaza 

560-562 Mount Road, Teynampet 
Madras 600 018 

Tel: 91-44-451031, 91-44-451597 
FAX: 91-44-813549 


Priya International Limited 

No. 10, tl Floor, Minerva House 

94 Sarojini Devi Rd. 

Secunderabad 500 003 

Tel: 91-842-813120, 91-842-813549 


Priya International Limited 

Lords, Ill Floor 

7/1 Lord Sinha Road 

Calcutta 700 071 

Tel: 91-33-222378, 91-33-222379 
FAX: 91-33-224884 


SES Computers & Technologies 
Pvt. Ltd. 

11/18, SNS Chambers 

239 Palace Upper Orchards 

Sankey Road, rials 

Bangalore 560 080 

Tel: 91-812-348481 


’ FAX: 91-812-343685 


SES Computers & Technologies 
Pvt. Ltd. 

Arvind Chambers 

194, Andheri-Kurla Road 

Andheri (East) 

Bombay 400 069 _. 

Tel: 91-22-6341584, 91-22-6341667 

FAX: 91-22-4937524 


aS Pe meuier & Technologies 
vt 

605-A, Ansal Chambers Il 

No. 6, Bhikaji Camaplace 

New Delhi 110 066 

Tel: 91-11-6881663 

FAX: 91-11-6840471 ° 


JAMAICA 
MC Systems 


. 10-12 Grenada Crescent 


Kingston 5 
Tel: (809) 926-0104 
FAX: (809) 929-5678 


JAPAN 


Asahi Electronics Co. Ltd. 
KMM Bldg. 2-14-1 Asano 
Kokurakita-ku 
Kitakyushu-shi 802 

Tel: 093-511-6471 

FAX: 093-551-7861 _ 
Dia Semicon Systems, Inc. 

Flower Hill Shinmachi Higashi-kan 
1-23 Shinmachi, Setagaya-ku 
Tokyo 154 

Tel: 03-3439-1600 

FAX: 03-3439-1601 


~ Okaya Koki 

2-4-18 Sakae 

Naka-ku, Nagoya-shi 460 
Tel: 052-204-8315 

FAX: 052-204-8380 


Ryoyo Electro Corp. 
Konwa Bldg. 
1-12-22 Tsukiji 
Chuo-ku, Tokyo 104 
Tel: 03-3546-5011 
FAX: 03-3546-5044 


KOREA 


Samsung Electronics 

Samsung Main Bldg. 

150 Taepyung-Ro-2KA, Chung-Ku 
Seoul 100-102 

C.P.O. Box 8780 

Tel: (822) 751-3680 

TWx: KORSST K 27970 

FAX: (822) 753-9065. 


Tong Baek Electronic Co., Ltd. 
16-58 Hangang-ro 3-ga 
Yongsan-gu, Seoul 

Tel: 82-2-715-6623 

FAX: 82-2-715-9374 


SAUDI ARABIA 


AAE Systems, Inc. | 
642 N. Pastoria Ave. 
Sunnyvale, CA 94086 


U.S.A. 
Tet (408) 732-1710 
FAX: (408) 732-3095 
TLX: 494-3405 AAE SYS 


SINGAPORE 


Electronic Resources Pte, Ltd. 
17 Harvey Road 

#03-01 Singapore 1336 

Tel: (65) 283-0888 

TWX: RS 56541 ERS - 
FAX: (65) 289-5327 


SOUTH AFRICA 


~ Electronic Building Elements 


178 Erasmus St... 

(off Watermeyet St.). 
Meyerspark, Pretoria, 0184 
Tel: 011-2712-803-7680 
FAX: 011-2712-803-8294 


TAIWAN 


Micro Electronics Corporation | 
12th Floor, Section3 
285 Nanking East Road 
Taipei, R.O.C. 

Tel: (886) 2-7198419 
FAX: (886) 2-7197916 


Acer Sertek Inc. 

15th Floor, Section 2 
Chien Kuo North Rd. 
Taipei 18479 R.O.C. 
Tel: 886-2-501-0055 
TWX: 23756 SERTEK 
FAX: (886) 2-5012521 


URUGUAY 


Interfase 

Bivr. Espana 2094 

11200 Montevideo 
Tel: 5982-49-4600 

FAX: 5982-49-3040 


VENEZUELA 


Unixel C.A. 

4 Transversal de Monte Cristo 
Edf. AXXA, Piso 1, of. 1&2 
Centro Empresarial Boleita: 
Caracas 

Tel: 582-238-7749 

FAX: 582-238-1816 


CG/SALE/1 11293 


In 


ALABAMA 


Birmingham 
Huntsville 


ALASKA . 
Anchorage 


ARIZONA 


Phoenix* 
Tucson r 


ARKANSAS 
Little Rock 


CALIFORNIA 


Bakersfield 
Brea 

Carson* 
Fresno 
Livermore 

Mar Del Rey 
Ontario* 
Orange 
Sacramento* 
San Diego* 
San Francisco* 
Santa Clara* 
Ventura 
Sunnyvale 
Walnut Creek* 
Woodiand Hills* . . 


COLORADO 


Colorado Springs 
Denver 
Englewood* . 
CONNECTICUT _ 
Glastonbury*. 


DELAWARE 
New Castle 


FLORIDA 


Ft. Lauderdale 
Heathrow 
Jacksonville 
Melbourne © 
Pensacola 
Tampa 

West Palm: Beach 


ARIZONA 


Computervision Customer 


Education 


2401 W. Behrend Dr., Suite 17 


Phoenix 85027 


Tel: 1-800-234-8806 _ 


MINNESOTA | 


3500 W. 80th Street 
Suite 360 

Bloomington 55431 
Tel: (612) 835-6722 


*Carry-in locations 


NORTH AMERICAN SERVICE OFFICES 


COMPUTERVISION | 
Intel. Corporation’ s North American Preferred Service Provider | 


Central Dispatch: 1-800-876- SERV (1-800-876- li ae 


GEORGIA 


Atlanta* 
Savannah 
West Robbins 


HAWAII 


Honolulu 


ILLINOIS 


Buffalo* 
Calumer City - 
Chicago 
Lansing’ 

Oak Brook 


INDIANA |” 


Carmel* 
Ft. Wayne 


KANSAS 
Overland Park* 
Wichita 

KENTUCKY 


Lexington 
Louisville 


*: Madisonville - 


LOUISIANA 


Baton Rouge 
Metarie 


MAINE 
Brunswick 


MARYLAND 


Frederick 
Linthicum* 
Rockville* 


MASSACHUSETTS 
Boston* 
Natick* 


Norton*, 
Springfield — 


ILLINOIS — 


Computervision Customer 


Education 

1 Oakbrook Terrace 
Suite 600 
Oakbrook 60181 


Tel: 1-800-234-8806 _ 


‘SYSTEMS ENGINEERING OFFICES 


‘NEW YORK 


2950 Expressway Dr., South 


Islandia 11722 
Tel: (506) 231-3300 


MICHIGAN 
Ann Harbor 


Benton Harbor . 


Flint 

Grand Rapids*. 
Leslie 
Livonia* 


*" §t. Joseph 


Troy* 
MINNESOTA... 


Bloomington* 
Deluth 


MISSOURI 
Springfield 
St. Louis* 

NEVADA 


Minden 
Las Vegas 
Reno 


NEW HAMSHIRE > 


Manchester* 


NEW JERSEY 
Edison* 


' ;Hamton Town* 


’Parsippany* 
NEW MEXICO 

Albuquerque 
NEW YORK | 


Albany* 
Amherst* 
Dewitt* 
Fairport* 
Farmingdale* 
New York City* 


NORTH CAROLINA 


Brevard 
Charlotte 


*: Greensboro 


Haveluch 
Raleigh 
Wilmington 


MASSACHUSETTS 


Computervision Customer . 


Education .. 
11 Oak Park Drive 
Bedford 01730 | 


Tel: 1-800-234-8806 ° 


NORTH DAKOTA 
Bismark 


OHIO 


Cincinnati* 
Columbus 
Dayton 
Independence* 
Middle Heights* 
Toledo* , 


OREGON 
Beaverton* 


PENNSYLVANIA. 


Bala Cynwyd* 
Camp bi 
East Erie 
Pittsburgh* 
Wayne* 


SOUTH CAROLINA 


Charleston 
Cherry Point 
Columbia 
Fountain Inn 


SOUTH DAKOTA 
Sioux Falls 
TENNESSEE 


Bartlett 
Chattanooga 
Knoxville 
Nashville 


TEXAS . 
Austin 
Bay City 
Beaumont 
Canyon 
College Station 
Houston* 
Irving* 
San Antonio 
Tyler 


UTAH 
Salt Lake City* 


CUSTOMER TRAINING CENTERS 


VIRGINIA 


Charlottesville te 


Glen Allen’ 
Maclean* 
Norfolk 
Virginia Beach 


WASHINGTON 


Bellevue* 
Olympia . 
Renton |. 
Richland 
Spokane 
Verdale 


WASHINGTON D.C.* ee, 


WEST VIRGINIA — 


St. Albans 


WISCONSIN 


ae ” Brookfield* °: , 


Green Bay - 
Madison 
Wausau 


CANADA 


Calga 
Calgary* 
Halifax 


London* ..° 


Montreal* .- ~ 
Ottawa: 
Toronto* 
Vancouver, BC* 
Winnipeg 
Regina 

St. John 
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